Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: root project 'webApplication'

:webApplication:unspecified

Scan Information (show all):

Display: Showing Vulnerable Dependencies (click to show all)

DependencyCPECoordinatesHighest SeverityCVE CountCPE ConfidenceEvidence Count
commons-io-1.4.jarcommons-io:commons-io:1.4 029
commons-collections-3.2.2.jarcpe:/a:apache:commons_collections:3.2.2commons-collections:commons-collections:3.2.2 0Low39
log4j-1.2.15.jarcpe:/a:apache:log4j:1.2.15log4j:log4j:1.2.15 0Low22
javax.servlet-api-3.1.0.jarjavax.servlet:javax.servlet-api:3.1.0 035
javax.websocket-api-1.0.jarjavax.websocket:javax.websocket-api:1.0 028
gretty-runner-jetty7-2.0.0.jarcpe:/a:jetty:jetty:2.0.0org.akhikhl.gretty:gretty-runner-jetty7:2.0.0 0Low10
gretty-runner-jetty-2.0.0.jarcpe:/a:jetty:jetty:2.0.0org.akhikhl.gretty:gretty-runner-jetty:2.0.0 0Low10
servlet-api-2.5.jarjavax.servlet:servlet-api:2.5 015
jetty-plus-7.6.16.v20140903.jarcpe:/a:eclipse:jetty:7.6.16.v20140903
cpe:/a:jetty:jetty:7.6.16.v20140903
org.eclipse.jetty:jetty-plus:7.6.16.v20140903High4Low35
jetty-webapp-7.6.16.v20140903.jarcpe:/a:eclipse:jetty:7.6.16.v20140903
cpe:/a:jetty:jetty:7.6.16.v20140903
org.eclipse.jetty:jetty-webapp:7.6.16.v20140903High4Low35
jetty-servlet-7.6.16.v20140903.jarcpe:/a:eclipse:jetty:7.6.16.v20140903
cpe:/a:jetty:jetty:7.6.16.v20140903
org.eclipse.jetty:jetty-servlet:7.6.16.v20140903High4Low35
jetty-security-7.6.16.v20140903.jarcpe:/a:eclipse:jetty:7.6.16.v20140903
cpe:/a:jetty:jetty:7.6.16.v20140903
org.eclipse.jetty:jetty-security:7.6.16.v20140903High4Low35
jetty-jndi-7.6.16.v20140903.jarcpe:/a:eclipse:jetty:7.6.16.v20140903
cpe:/a:jetty:jetty:7.6.16.v20140903
org.eclipse.jetty:jetty-jndi:7.6.16.v20140903High4Low35
jetty-server-7.6.16.v20140903.jarcpe:/a:eclipse:jetty:7.6.16.v20140903
cpe:/a:jetty:jetty:7.6.16.v20140903
org.eclipse.jetty:jetty-server:7.6.16.v20140903High4Low35
jetty-jsp-7.6.16.v20140903.jarcpe:/a:eclipse:jetty:7.6.16.v20140903
cpe:/a:jetty:jetty:7.6.16.v20140903
org.eclipse.jetty:jetty-jsp:7.6.16.v20140903High4Low22
gretty-runner-2.0.0.jarorg.akhikhl.gretty:gretty-runner:2.0.0 010
jetty-continuation-7.6.16.v20140903.jarcpe:/a:eclipse:jetty:7.6.16.v20140903
cpe:/a:jetty:jetty:7.6.16.v20140903
org.eclipse.jetty:jetty-continuation:7.6.16.v20140903High4Low35
jetty-http-7.6.16.v20140903.jarcpe:/a:eclipse:jetty:7.6.16.v20140903
cpe:/a:jetty:jetty:7.6.16.v20140903
org.eclipse.jetty:jetty-http:7.6.16.v20140903High4Low33
jetty-xml-7.6.16.v20140903.jarcpe:/a:eclipse:jetty:7.6.16.v20140903
cpe:/a:jetty:jetty:7.6.16.v20140903
org.eclipse.jetty:jetty-xml:7.6.16.v20140903High4Low35
org.apache.jasper.glassfish-2.1.0.v201110031002.jarcpe:/a:jasper_project:jasper:2.1.0.v20111003org.eclipse.jetty.orbit:org.apache.jasper.glassfish:2.1.0.v201110031002 0Low18
org.apache.taglibs.standard.glassfish-1.2.0.v201112081803.jarcpe:/a:apache:standard_taglibs:1.2.0.v20111208org.eclipse.jetty.orbit:org.apache.taglibs.standard.glassfish:1.2.0.v201112081803High1Low19
javax.servlet.jsp.jstl-1.2.0.v201105211821.jarorg.eclipse.jetty.orbit:javax.servlet.jsp.jstl:1.2.0.v201105211821 019
javax.servlet.jsp-2.1.0.v201105211820.jarorg.eclipse.jetty.orbit:javax.servlet.jsp:2.1.0.v201105211820 018
javax.el-2.1.0.v201105211819.jarorg.eclipse.jetty.orbit:javax.el:2.1.0.v201105211819 016
com.sun.el-1.0.0.v201105211818.jarorg.eclipse.jetty.orbit:com.sun.el:1.0.0.v201105211818 019
org.eclipse.jdt.core-3.7.1.jarorg.eclipse.jetty.orbit:org.eclipse.jdt.core:3.7.1 017
javax.transaction-1.1.1.v201105210645.jarorg.apache.geronimo.specs:geronimo-jta_1.1_spec:1.1.1 023
groovy-json-2.4.11.jarcpe:/a:apache:groovy:2.4.11org.codehaus.groovy:groovy-json:2.4.11Medium1Low19
groovy-2.4.11.jarcpe:/a:apache:groovy:2.4.11org.codehaus.groovy:groovy:2.4.11 0Low22
commons-cli-1.2.jarcommons-cli:commons-cli:1.2 033
commons-io-2.4.jarcommons-io:commons-io:2.4 035
logback-classic-1.1.3.jarcpe:/a:logback:logback:1.1.3ch.qos.logback:logback-classic:1.1.3High1Low29
jetty-io-7.6.16.v20140903.jarorg.eclipse.jetty:jetty-io:7.6.16.v20140903 033
jetty-util-7.6.16.v20140903.jarcpe:/a:eclipse:jetty:7.6.16.v20140903
cpe:/a:jetty:jetty:7.6.16.v20140903
org.eclipse.jetty:jetty-util:7.6.16.v20140903High4Low35
javax.mail.glassfish-1.4.1.v201005082020.jarorg.eclipse.jetty.orbit:javax.mail.glassfish:1.4.1.v201005082020 016
logback-core-1.1.3.jarcpe:/a:logback:logback:1.1.3ch.qos.logback:logback-core:1.1.3High1Low29
slf4j-api-1.7.7.jarcpe:/a:slf4j:slf4j:1.7.7org.slf4j:slf4j-api:1.7.7 0Low29
javax.activation-1.1.0.v201105071233.jarorg.eclipse.jetty.orbit:javax.activation:1.1.0.v201105071233 016
gretty-runner-jetty8-2.0.0.jarcpe:/a:jetty:jetty:2.0.0org.akhikhl.gretty:gretty-runner-jetty8:2.0.0 0Low10
javax.servlet-api-3.0.1.jarjavax.servlet:javax.servlet-api:3.0.1 037
jetty-annotations-8.1.8.v20121106.jarcpe:/a:jetty:jetty:8.1.8.v20121106
cpe:/a:eclipse:jetty:8.1.8.v20121106
org.eclipse.jetty:jetty-annotations:8.1.8.v20121106High4Low33
jetty-plus-8.1.8.v20121106.jarcpe:/a:jetty:jetty:8.1.8.v20121106
cpe:/a:eclipse:jetty:8.1.8.v20121106
org.eclipse.jetty:jetty-plus:8.1.8.v20121106High4Low33
jetty-webapp-8.1.8.v20121106.jarcpe:/a:jetty:jetty:8.1.8.v20121106
cpe:/a:eclipse:jetty:8.1.8.v20121106
org.eclipse.jetty:jetty-webapp:8.1.8.v20121106High4Low33
jetty-servlet-8.1.8.v20121106.jarcpe:/a:jetty:jetty:8.1.8.v20121106
cpe:/a:eclipse:jetty:8.1.8.v20121106
org.eclipse.jetty:jetty-servlet:8.1.8.v20121106High4Low33
jetty-security-8.1.8.v20121106.jarcpe:/a:jetty:jetty:8.1.8.v20121106
cpe:/a:eclipse:jetty:8.1.8.v20121106
org.eclipse.jetty:jetty-security:8.1.8.v20121106High4Low33
jetty-jndi-8.1.8.v20121106.jarcpe:/a:jetty:jetty:8.1.8.v20121106
cpe:/a:eclipse:jetty:8.1.8.v20121106
org.eclipse.jetty:jetty-jndi:8.1.8.v20121106High4Low33
jetty-server-8.1.8.v20121106.jarcpe:/a:jetty:jetty:8.1.8.v20121106
cpe:/a:eclipse:jetty:8.1.8.v20121106
org.eclipse.jetty:jetty-server:8.1.8.v20121106High4Low33
jetty-jsp-8.1.8.v20121106.jarcpe:/a:jetty:jetty:8.1.8.v20121106
cpe:/a:eclipse:jetty:8.1.8.v20121106
org.eclipse.jetty:jetty-jsp:8.1.8.v20121106High4Low20
jetty-continuation-8.1.8.v20121106.jarcpe:/a:jetty:jetty:8.1.8.v20121106
cpe:/a:eclipse:jetty:8.1.8.v20121106
org.eclipse.jetty:jetty-continuation:8.1.8.v20121106High4Low33
jetty-http-8.1.8.v20121106.jarcpe:/a:jetty:jetty:8.1.8.v20121106
cpe:/a:eclipse:jetty:8.1.8.v20121106
org.eclipse.jetty:jetty-http:8.1.8.v20121106High4Low31
jetty-xml-8.1.8.v20121106.jarcpe:/a:jetty:jetty:8.1.8.v20121106
cpe:/a:eclipse:jetty:8.1.8.v20121106
org.eclipse.jetty:jetty-xml:8.1.8.v20121106High4Low33
org.apache.jasper.glassfish-2.2.2.v201112011158.jarcpe:/a:jasper_project:jasper:2.2.2.v20111201org.eclipse.jetty.orbit:org.apache.jasper.glassfish:2.2.2.v201112011158 0Low24
javax.servlet.jsp-2.2.0.v201112011158.jarorg.eclipse.jetty.orbit:javax.servlet.jsp:2.2.0.v201112011158 018
javax.el-2.2.0.v201108011116.jarorg.eclipse.jetty.orbit:javax.el:2.2.0.v201108011116 016
com.sun.el-2.2.0.v201108011116.jarorg.eclipse.jetty.orbit:com.sun.el:2.2.0.v201108011116 021
javax.annotation-1.1.0.v201108011116.jarorg.eclipse.jetty.orbit:javax.annotation:1.1.0.v201108011116 016
org.objectweb.asm-3.1.0.v200803061910.jarorg.eclipse.jetty.orbit:org.objectweb.asm:3.1.0.v200803061910 016
jetty-io-8.1.8.v20121106.jarorg.eclipse.jetty:jetty-io:8.1.8.v20121106 031
jetty-util-8.1.8.v20121106.jarcpe:/a:jetty:jetty:8.1.8.v20121106
cpe:/a:eclipse:jetty:8.1.8.v20121106
org.eclipse.jetty:jetty-util:8.1.8.v20121106High4Low33
gretty-runner-jetty9-2.0.0.jarcpe:/a:jetty:jetty:2.0.0org.akhikhl.gretty:gretty-runner-jetty9:2.0.0 0Low10
javax-websocket-server-impl-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty.websocket:javax-websocket-server-impl:9.2.22.v20170606High4Low35
jetty-annotations-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty:jetty-annotations:9.2.22.v20170606High4Low37
jetty-plus-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty:jetty-plus:9.2.22.v20170606High4Low35
jetty-webapp-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty:jetty-webapp:9.2.22.v20170606High4Low35
websocket-server-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty.websocket:websocket-server:9.2.22.v20170606High4Low35
jetty-servlet-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty:jetty-servlet:9.2.22.v20170606High4Low35
jetty-security-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty:jetty-security:9.2.22.v20170606High4Low35
jetty-server-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty:jetty-server:9.2.22.v20170606High4Low35
jetty-jsp-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty:jetty-jsp:9.2.22.v20170606High4Low22
websocket-servlet-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty.websocket:websocket-servlet:9.2.22.v20170606High4Low33
asm-commons-5.0.3.jarorg.ow2.asm:asm-commons:5.0.3 020
asm-tree-5.0.3.jarorg.ow2.asm:asm-tree:5.0.3 020
asm-5.0.3.jarorg.ow2.asm:asm:5.0.3 018
jetty-http-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty:jetty-http:9.2.22.v20170606High4Low33
javax-websocket-client-impl-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty.websocket:javax-websocket-client-impl:9.2.22.v20170606High4Low31
websocket-client-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty.websocket:websocket-client:9.2.22.v20170606High4Low31
websocket-common-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty.websocket:websocket-common:9.2.22.v20170606High4Low31
jetty-io-9.2.22.v20170606.jarorg.eclipse.jetty:jetty-io:9.2.22.v20170606 033
jetty-xml-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty:jetty-xml:9.2.22.v20170606High4Low35
jetty-schemas-3.1.M0.jarorg.eclipse.jetty.toolchain:jetty-schemas:3.1.M0 025
javax.servlet.jsp-2.3.2.jarcpe:/a:oracle:jsp:2.3.2org.glassfish.web:javax.servlet.jsp:2.3.2 0Low34
javax.servlet.jsp-api-2.3.1.jarcpe:/a:oracle:jsp:2.3.1javax.servlet.jsp:javax.servlet.jsp-api:2.3.1 0Low34
javax.servlet.jsp.jstl-1.2.2.jarorg.glassfish.web:javax.servlet.jsp.jstl:1.2.2 034
javax.el-3.0.0.jarorg.glassfish:javax.el:3.0.0 034
org.eclipse.jdt.core-3.8.2.v20130121.jarorg.eclipse.jetty.orbit:org.eclipse.jdt.core:3.8.2.v20130121 017
javax.annotation-api-1.2.jarjavax.annotation:javax.annotation-api:1.2 037
jetty-jndi-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty:jetty-jndi:9.2.22.v20170606High4Low35
jetty-util-9.2.22.v20170606.jarcpe:/a:jetty:jetty:9.2.22.v20170606
cpe:/a:eclipse:jetty:9.2.22.v20170606
org.eclipse.jetty:jetty-util:9.2.22.v20170606High4Low35
websocket-api-9.2.22.v20170606.jarorg.eclipse.jetty.websocket:websocket-api:9.2.22.v20170606 031
gretty-runner-jetty93-2.0.0.jarcpe:/a:jetty:jetty:2.0.0org.akhikhl.gretty:gretty-runner-jetty93:2.0.0 0Low10
javax-websocket-server-impl-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty.websocket:javax-websocket-server-impl:9.3.20.v20170531High5Low37
jetty-annotations-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty:jetty-annotations:9.3.20.v20170531High5Low39
jetty-plus-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty:jetty-plus:9.3.20.v20170531High5Low39
jetty-webapp-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty:jetty-webapp:9.3.20.v20170531High5Low39
websocket-server-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty.websocket:websocket-server:9.3.20.v20170531High5Low35
jetty-servlet-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty:jetty-servlet:9.3.20.v20170531High5Low39
jetty-security-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty:jetty-security:9.3.20.v20170531High5Low39
jetty-server-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty:jetty-server:9.3.20.v20170531High5Low39
apache-jsp-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty:apache-jsp:9.3.20.v20170531High5Low39
websocket-servlet-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty.websocket:websocket-servlet:9.3.20.v20170531High5Low35
jetty-http-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty:jetty-http:9.3.20.v20170531High5Low37
javax-websocket-client-impl-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty.websocket:javax-websocket-client-impl:9.3.20.v20170531High5Low35
websocket-client-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty.websocket:websocket-client:9.3.20.v20170531High5Low35
websocket-common-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty.websocket:websocket-common:9.3.20.v20170531High5Low35
jetty-io-9.3.20.v20170531.jarorg.eclipse.jetty:jetty-io:9.3.20.v20170531 037
jetty-xml-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty:jetty-xml:9.3.20.v20170531High5Low39
jetty-jndi-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty:jetty-jndi:9.3.20.v20170531High5Low39
jetty-util-9.3.20.v20170531.jarcpe:/a:eclipse:jetty:9.3.20
cpe:/a:jetty:jetty:9.3.20.v20170531
org.eclipse.jetty:jetty-util:9.3.20.v20170531High5Low39
apache-jsp-8.0.33.jarcpe:/a:jasper_project:jasper:8.0.33
cpe:/a:apache_tomcat:apache_tomcat:8.0.33
org.mortbay.jasper:apache-jsp:8.0.33 0Low25
jetty-schemas-3.1.jarorg.eclipse.jetty.toolchain:jetty-schemas:3.1 025
ecj-4.4.2.jarorg.eclipse.jdt.core.compiler:ecj:4.4.2 017
apache-el-8.0.33.jarcpe:/a:apache_tomcat:apache_tomcat:8.0.33org.mortbay.jasper:apache-el:8.0.33 0Low18
websocket-api-9.3.20.v20170531.jarorg.eclipse.jetty.websocket:websocket-api:9.3.20.v20170531 035
gretty-runner-jetty94-2.0.0.jarcpe:/a:jetty:jetty:2.0.0org.akhikhl.gretty:gretty-runner-jetty94:2.0.0 0Low10
javax-websocket-server-impl-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty.websocket:javax-websocket-server-impl:9.4.6.v20170531High6Low37
jetty-annotations-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty:jetty-annotations:9.4.6.v20170531High6Low39
jetty-plus-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty:jetty-plus:9.4.6.v20170531High6Low39
jetty-webapp-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty:jetty-webapp:9.4.6.v20170531High6Low39
websocket-server-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty.websocket:websocket-server:9.4.6.v20170531High6Low35
jetty-servlet-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty:jetty-servlet:9.4.6.v20170531High6Low39
jetty-security-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty:jetty-security:9.4.6.v20170531High6Low39
jetty-server-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty:jetty-server:9.4.6.v20170531High6Low39
apache-jsp-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty:apache-jsp:9.4.6.v20170531High6Low39
websocket-servlet-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty.websocket:websocket-servlet:9.4.6.v20170531High6Low35
javax-websocket-client-impl-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty.websocket:javax-websocket-client-impl:9.4.6.v20170531High6Low35
websocket-client-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty.websocket:websocket-client:9.4.6.v20170531High6Low35
jetty-client-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty:jetty-client:9.4.6.v20170531High6Low37
jetty-http-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty:jetty-http:9.4.6.v20170531High6Low39
websocket-common-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty.websocket:websocket-common:9.4.6.v20170531High6Low35
jetty-io-9.4.6.v20170531.jarorg.eclipse.jetty:jetty-io:9.4.6.v20170531 037
jetty-xml-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty:jetty-xml:9.4.6.v20170531High6Low39
jetty-jndi-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty:jetty-jndi:9.4.6.v20170531High6Low39
jetty-util-9.4.6.v20170531.jarcpe:/a:eclipse:jetty:9.4.6
cpe:/a:jetty:jetty:9.4.6.v20170531
org.eclipse.jetty:jetty-util:9.4.6.v20170531High6Low39
apache-jsp-8.5.9.1.jarcpe:/a:apache_tomcat:apache_tomcat:8.5.9.1
cpe:/a:jasper_project:jasper:8.5.9.1
org.mortbay.jasper:apache-jsp:8.5.9.1 0Low27
apache-el-8.5.9.1.jarcpe:/a:apache_tomcat:apache_tomcat:8.5.9.1org.mortbay.jasper:apache-el:8.5.9.1 0Low21
websocket-api-9.4.6.v20170531.jarorg.eclipse.jetty.websocket:websocket-api:9.4.6.v20170531 035
gretty-runner-tomcat7-2.0.0.jarorg.akhikhl.gretty:gretty-runner-tomcat7:2.0.0 010
gretty-runner-tomcat-2.0.0.jarorg.akhikhl.gretty:gretty-runner-tomcat:2.0.0 010
tomcat-embed-jasper-7.0.78.jarcpe:/a:apache_software_foundation:tomcat:7.0.78
cpe:/a:apache:tomcat:7.0.78
cpe:/a:apache_tomcat:apache_tomcat:7.0.78
org.apache.tomcat.embed:tomcat-embed-jasper:7.0.78High6Highest13
tomcat-embed-el-7.0.78.jarorg.apache.tomcat.embed:tomcat-embed-el:7.0.78 013
tomcat-embed-websocket-7.0.78.jarcpe:/a:apache_software_foundation:tomcat:7.0.78
cpe:/a:apache:tomcat:7.0.78
cpe:/a:apache_tomcat:apache_tomcat:7.0.78
org.apache.tomcat.embed:tomcat-embed-websocket:7.0.78High6Highest15
log4j-over-slf4j-1.7.12.jarcpe:/a:slf4j:slf4j:1.7.12org.slf4j:log4j-over-slf4j:1.7.12 0Low29
tomcat-embed-core-7.0.78.jarcpe:/a:apache_software_foundation:tomcat:7.0.78
cpe:/a:apache:tomcat:7.0.78
cpe:/a:apache_tomcat:apache_tomcat:7.0.78
org.apache.tomcat.embed:tomcat-embed-core:7.0.78High6Highest13
tomcat-embed-logging-log4j-7.0.78.jarcpe:/a:apache_software_foundation:tomcat:7.0.78
cpe:/a:apache:tomcat:7.0.78
cpe:/a:apache_tomcat:apache_tomcat:7.0.78
cpe:/a:apache:log4j:7.0.78
org.apache.tomcat.embed:tomcat-embed-logging-log4j:7.0.78High6Highest15
slf4j-api-1.7.12.jarcpe:/a:slf4j:slf4j:1.7.12org.slf4j:slf4j-api:1.7.12 0Low29
gretty-runner-tomcat8-2.0.0.jarorg.akhikhl.gretty:gretty-runner-tomcat8:2.0.0 010
tomcat-embed-jasper-8.0.44.jarcpe:/a:apache:tomcat:8.0.44
cpe:/a:apache_software_foundation:tomcat:8.0.44
cpe:/a:apache_tomcat:apache_tomcat:8.0.44
org.apache.tomcat.embed:tomcat-embed-jasper:8.0.44High8Highest13
tomcat-embed-websocket-8.0.44.jarcpe:/a:apache:tomcat:8.0.44
cpe:/a:apache_software_foundation:tomcat:8.0.44
cpe:/a:apache_tomcat:apache_tomcat:8.0.44
org.apache.tomcat.embed:tomcat-embed-websocket:8.0.44High8Highest15
tomcat-embed-core-8.0.44.jarcpe:/a:apache:tomcat:8.0.44
cpe:/a:apache_software_foundation:tomcat:8.0.44
cpe:/a:apache_tomcat:apache_tomcat:8.0.44
org.apache.tomcat.embed:tomcat-embed-core:8.0.44High8Highest11
tomcat-embed-el-8.0.44.jarorg.apache.tomcat.embed:tomcat-embed-el:8.0.44 013
tomcat-embed-logging-log4j-8.0.44.jarcpe:/a:apache:tomcat:8.0.44
cpe:/a:apache:log4j:8.0.44
cpe:/a:apache_software_foundation:tomcat:8.0.44
cpe:/a:apache_tomcat:apache_tomcat:8.0.44
org.apache.tomcat.embed:tomcat-embed-logging-log4j:8.0.44High8Highest15
ecj-3.12.3.jarorg.eclipse.jdt:ecj:3.12.3 017
springloaded-1.2.5.RELEASE.jarcpe:/a:springsource:spring_framework:1.2.5org.springframework:springloaded:1.2.5.RELEASEHigh6Low15
gretty-starter-2.0.0.jarorg.akhikhl.gretty:gretty-starter:2.0.0 010
gretty-core-2.0.0.jarorg.akhikhl.gretty:gretty-core:2.0.0 010
commons-configuration-1.10.jarcommons-configuration:commons-configuration:1.10 035
commons-lang3-3.3.2.jarorg.apache.commons:commons-lang3:3.3.2 035
org.apache.servicemix.bundles.bcprov-jdk16-1.46_3.jarorg.apache.servicemix.bundles:org.apache.servicemix.bundles.bcprov-jdk16:1.46_3 025
spring-boot-devtools-1.3.3.RELEASE.jarcpe:/a:pivotal_software:spring_boot:1.3.3org.springframework.boot:spring-boot-devtools:1.3.3.RELEASEHigh2Highest28
commons-lang-2.6.jarcommons-lang:commons-lang:2.6 033
spring-boot-autoconfigure-1.3.3.RELEASE.jarcpe:/a:pivotal_software:spring_boot:1.3.3org.springframework.boot:spring-boot-autoconfigure:1.3.3.RELEASEHigh2Highest28
spring-boot-1.3.3.RELEASE.jarcpe:/a:pivotal_software:spring_boot:1.3.3org.springframework.boot:spring-boot:1.3.3.RELEASEHigh2Highest28
spring-context-4.2.5.RELEASE.jarcpe:/a:pivotal_software:spring_framework:4.2.5
cpe:/a:pivotal:spring_framework:4.2.5
org.springframework:spring-context:4.2.5.RELEASEHigh5Highest11
spring-aop-4.2.5.RELEASE.jarcpe:/a:pivotal_software:spring_framework:4.2.5
cpe:/a:pivotal:spring_framework:4.2.5
org.springframework:spring-aop:4.2.5.RELEASEHigh5Highest13
spring-beans-4.2.5.RELEASE.jarcpe:/a:pivotal_software:spring_framework:4.2.5
cpe:/a:pivotal:spring_framework:4.2.5
org.springframework:spring-beans:4.2.5.RELEASEHigh5Highest15
spring-expression-4.2.5.RELEASE.jarcpe:/a:pivotal_software:spring_framework:4.2.5
cpe:/a:pivotal:spring_framework:4.2.5
org.springframework:spring-expression:4.2.5.RELEASEHigh5Highest15
spring-core-4.2.5.RELEASE.jarcpe:/a:pivotal_software:spring_framework:4.2.5
cpe:/a:pivotal:spring_framework:4.2.5
org.springframework:spring-core:4.2.5.RELEASEHigh5Highest15
commons-logging-1.2.jarcommons-logging:commons-logging:1.2 035
aopalliance-1.0.jaraopalliance:aopalliance:1.0 010
org.jacoco.agent-0.8.1.jarorg.jacoco:org.jacoco.agent:0.8.1 029
org.jacoco.ant-0.8.1.jarorg.jacoco:org.jacoco.ant:0.8.1 031
org.jacoco.report-0.8.1.jarorg.jacoco:org.jacoco.report:0.8.1 029
org.jacoco.core-0.8.1.jarorg.jacoco:org.jacoco.core:0.8.1 029
asm-commons-6.0.jarorg.ow2.asm:asm-commons:6.0 024
asm-analysis-6.0.jarorg.ow2.asm:asm-analysis:6.0 025
asm-util-6.0.jarorg.ow2.asm:asm-util:6.0 024
asm-tree-6.0.jarorg.ow2.asm:asm-tree:6.0 024
asm-6.0.jarorg.ow2.asm:asm:6.0 020
org.jacoco.agent-0.8.1.jar: jacocoagent.jar 013
org.jacoco.agent-0.8.1.jar: jacocoagent.jar (shaded: org.jacoco:org.jacoco.agent.rt:0.8.1)org.jacoco:org.jacoco.agent.rt:0.8.1 013

Dependencies

commons-io-1.4.jar

Description:

 
        Commons-IO contains utility classes, stream implementations, file filters, file comparators and endian classes.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\commons-io\commons-io\1.4\a8762d07e76cfde2395257a5da47ba7c1dbd3dce\commons-io-1.4.jar
MD5: b6a50c8a15ece8753e37cbe5700bf84f
SHA1: a8762d07e76cfde2395257a5da47ba7c1dbd3dce
SHA256:a7f713593007813bf07d19bd1df9f81c86c0719e9a0bb2ef1b98b78313fc940d
Referenced In Projects/Scopes:
  • webApplication:compile
  • webApplication:compileClasspath
  • webApplication:default
  • webApplication:runtime
  • webApplication:springBoot
  • webApplication:grettyProductRuntime
  • webApplication:runtimeClasspath

Identifiers

  • maven: commons-io:commons-io:1.4  Confidence:Highest

commons-collections-3.2.2.jar

Description:

 Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\commons-collections\commons-collections\3.2.2\8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5\commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256:eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8
Referenced In Projects/Scopes:
  • webApplication:compile
  • webApplication:compileClasspath
  • webApplication:default
  • webApplication:runtime
  • webApplication:springBoot
  • webApplication:grettyProductRuntime
  • webApplication:runtimeClasspath

Identifiers

  • cpe: cpe:/a:apache:commons_collections:3.2.2  Confidence:Low  
  • maven: commons-collections:commons-collections:3.2.2  Confidence:Highest

log4j-1.2.15.jar

Description:

 Apache Log4j 1.2

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\log4j\log4j\1.2.15\f0a0d2e29ed910808c33135a3a5a51bba6358f7b\log4j-1.2.15.jar
MD5: 4d4609998fbc124ce6f0d1d48fca2614
SHA1: f0a0d2e29ed910808c33135a3a5a51bba6358f7b
SHA256:9f5f5799707881451a39c1b2dd22b4e43b97a80698db7daf1c9697f545e24387
Referenced In Projects/Scopes:
  • webApplication:compile
  • webApplication:compileClasspath
  • webApplication:default
  • webApplication:runtime
  • webApplication:springBoot
  • webApplication:grettyProductRuntime
  • webApplication:runtimeClasspath

Identifiers

  • cpe: cpe:/a:apache:log4j:1.2.15  Confidence:Low  
  • maven: log4j:log4j:1.2.15  Confidence:Highest

javax.servlet-api-3.1.0.jar

Description:

 Java(TM) Servlet 3.1 API Design Specification

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\javax.servlet\javax.servlet-api\3.1.0\3cd63d075497751784b2fa84be59432f4905bf7c\javax.servlet-api-3.1.0.jar
MD5: 79de69e9f5ed8c7fcb8342585732bbf7
SHA1: 3cd63d075497751784b2fa84be59432f4905bf7c
SHA256:af456b2dd41c4e82cf54f3e743bc678973d9fe35bd4d3071fa05c7e5333b8482
Referenced In Projects/Scopes:
  • webApplication:grettyRunnerJetty93
  • webApplication:compileClasspath
  • webApplication:grettyRunnerJetty94
  • webApplication:runtime
  • webApplication:grettyProvidedCompile
  • webApplication:grettyRunnerTomcat8
  • webApplication:providedRuntime
  • webApplication:runtimeClasspath
  • webApplication:compile
  • webApplication:grettyRunnerJetty9
  • webApplication:default
  • webApplication:springBoot
  • webApplication:grettyProductRuntime
  • webApplication:providedCompile

Identifiers

  • maven: javax.servlet:javax.servlet-api:3.1.0  Confidence:Highest

javax.websocket-api-1.0.jar

Description:

 JSR 356: Java API for WebSocket

License:

https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\javax.websocket\javax.websocket-api\1.0\fc843b649d4a1dcb0497669d262befa3918c7ba8\javax.websocket-api-1.0.jar
MD5: 510563ac69503be2d6cbb6d492a8027b
SHA1: fc843b649d4a1dcb0497669d262befa3918c7ba8
SHA256:dd93009fb5aa3798bcd9ab0492a292ddae0f0b1ed2e45a75867a9925c90e747a
Referenced In Projects/Scopes:
  • webApplication:grettyRunnerJetty93
  • webApplication:compileClasspath
  • webApplication:grettyRunnerJetty94
  • webApplication:runtime
  • webApplication:grettyProvidedCompile
  • webApplication:providedRuntime
  • webApplication:runtimeClasspath
  • webApplication:compile
  • webApplication:grettyRunnerJetty9
  • webApplication:default
  • webApplication:springBoot
  • webApplication:grettyProductRuntime
  • webApplication:providedCompile

Identifiers

  • maven: javax.websocket:javax.websocket-api:1.0  Confidence:Highest

gretty-runner-jetty7-2.0.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.akhikhl.gretty\gretty-runner-jetty7\2.0.0\d6178e2d866ecfd3b122e6239dce90de91f84615\gretty-runner-jetty7-2.0.0.jar
MD5: 95da8574846bee2403aa8dedc448ec80
SHA1: d6178e2d866ecfd3b122e6239dce90de91f84615
SHA256:e396445fc572de13d841c64a64e79b8e359e504c4def7d3b46216cd1ac57fa6a
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • cpe: cpe:/a:jetty:jetty:2.0.0  Confidence:Low  
  • maven: org.akhikhl.gretty:gretty-runner-jetty7:2.0.0  Confidence:Highest

gretty-runner-jetty-2.0.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.akhikhl.gretty\gretty-runner-jetty\2.0.0\9b827d6d50030a0e1ae757078045258e04bf53d5\gretty-runner-jetty-2.0.0.jar
MD5: 7bb0034c694161c13fcad17ba75b31a7
SHA1: 9b827d6d50030a0e1ae757078045258e04bf53d5
SHA256:4e9473315ce4cd57e7f5b3bc91e21f8b3988b5d1a94b3c85d43829cc02aae39e
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerJetty93
  • webApplication:grettyRunnerJetty9
  • webApplication:grettyRunnerJetty94
  • webApplication:grettyRunnerJetty8
  • webApplication:grettyRunnerJetty7

Identifiers

  • cpe: cpe:/a:jetty:jetty:2.0.0  Confidence:Low  
  • maven: org.akhikhl.gretty:gretty-runner-jetty:2.0.0  Confidence:Highest

servlet-api-2.5.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\javax.servlet\servlet-api\2.5\5959582d97d8b61f4d154ca9e495aafd16726e34\servlet-api-2.5.jar
MD5: 69ca51af4e9a67a1027a7f95b52c3e8f
SHA1: 5959582d97d8b61f4d154ca9e495aafd16726e34
SHA256:c658ea360a70faeeadb66fb3c90a702e4142a0ab7768f9ae9828678e0d9ad4dc
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: javax.servlet:servlet-api:2.5  Confidence:Highest

jetty-plus-7.6.16.v20140903.jar

Description:

 Jetty JavaEE style services

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-plus\7.6.16.v20140903\c6998f0c7b844fb0accc210e9b982a911588c509\jetty-plus-7.6.16.v20140903.jar
MD5: fcb24b8a48862a2969cf52f4f271c2ee
SHA1: c6998f0c7b844fb0accc210e9b982a911588c509
SHA256:5e85a756fa69696aed79cfe5bd8a7358bbc78b1fb62c557aba924da76d151500
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty:jetty-plus:7.6.16.v20140903  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:7.6.16.v20140903  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:7.6.16.v20140903  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-webapp-7.6.16.v20140903.jar

Description:

 Jetty web application support

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-webapp\7.6.16.v20140903\b246c86ca254d507d8b1cbfa58998b1d673f67a4\jetty-webapp-7.6.16.v20140903.jar
MD5: b3f0d1ea71f41202b251e7a5aae7e4a1
SHA1: b246c86ca254d507d8b1cbfa58998b1d673f67a4
SHA256:a229c3dbad6dc666504d286efeba1bacb04578c1902e145d4630f41fcbd4db15
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty:jetty-webapp:7.6.16.v20140903  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:7.6.16.v20140903  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:7.6.16.v20140903  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-servlet-7.6.16.v20140903.jar

Description:

 Jetty Servlet Container

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-servlet\7.6.16.v20140903\868483a3e235663625f22cc00eb06eddd0046758\jetty-servlet-7.6.16.v20140903.jar
MD5: dc86a65f5a9807e23d78a82416e9daf4
SHA1: 868483a3e235663625f22cc00eb06eddd0046758
SHA256:a2db32ce272f5a0daca447aecf161bb4c1624a5cca3cf34355964b7d60907df9
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty:jetty-servlet:7.6.16.v20140903  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:7.6.16.v20140903  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:7.6.16.v20140903  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-security-7.6.16.v20140903.jar

Description:

 Jetty security infrastructure

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-security\7.6.16.v20140903\f80a992105dd24c9602c8358bc03017d261a2d33\jetty-security-7.6.16.v20140903.jar
MD5: 57d9be6a41d9d2a37f362f66b450278e
SHA1: f80a992105dd24c9602c8358bc03017d261a2d33
SHA256:013b2b32a3262e6381f2f33bb925c77c6d370ac79c425571c2f07b197e27815f
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty:jetty-security:7.6.16.v20140903  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:7.6.16.v20140903  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:7.6.16.v20140903  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-jndi-7.6.16.v20140903.jar

Description:

 JNDI spi impl for java namespace.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-jndi\7.6.16.v20140903\67340ac158ec239fa9bb0e0e535b531ddb2f809c\jetty-jndi-7.6.16.v20140903.jar
MD5: 7dfa029293136740c160d9ffab635f71
SHA1: 67340ac158ec239fa9bb0e0e535b531ddb2f809c
SHA256:9fd2a199da785f76c0bc76f38acfb447bacfcfb8a064eeaa558a1f6e2724aa84
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty:jetty-jndi:7.6.16.v20140903  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:7.6.16.v20140903  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:7.6.16.v20140903  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-server-7.6.16.v20140903.jar

Description:

 The core jetty server artifact.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-server\7.6.16.v20140903\c2c70df7185a2be6dc654c76929533f59af9e602\jetty-server-7.6.16.v20140903.jar
MD5: 74b7e527ee96d499f9a1e98f95ffda42
SHA1: c2c70df7185a2be6dc654c76929533f59af9e602
SHA256:cecdbf0750149f25e3d12f683e152db069fad7ff20d3cb7aae16a9fee0f35aa5
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty:jetty-server:7.6.16.v20140903  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:7.6.16.v20140903  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:7.6.16.v20140903  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-jsp-7.6.16.v20140903.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-jsp\7.6.16.v20140903\808bf91fef21c76a5bae171a9c1125188c8b9622\jetty-jsp-7.6.16.v20140903.jar
MD5: 9bcfcc18e63d75345d795ed2330b8557
SHA1: 808bf91fef21c76a5bae171a9c1125188c8b9622
SHA256:c299d7fa4413c7e0bf0016fd7b55d71100c0199fb5785f0239b199eb78f21564
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • cpe: cpe:/a:eclipse:jetty:7.6.16.v20140903  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-jsp:7.6.16.v20140903  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:7.6.16.v20140903  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

gretty-runner-2.0.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.akhikhl.gretty\gretty-runner\2.0.0\c9ef7e111606be9eac4fa402316dbaa2ed7106\gretty-runner-2.0.0.jar
MD5: 1c3a8c75cfdca12af7f506a5afdccc55
SHA1: 00c9ef7e111606be9eac4fa402316dbaa2ed7106
SHA256:6445b6fbf8d0c6c928a527b6a3799509c37a1ae5950f5fbe0c2669f535fd9e76
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerJetty93
  • webApplication:grettyRunnerJetty9
  • webApplication:grettyRunnerJetty94
  • webApplication:grettyRunnerTomcat7
  • webApplication:grettyRunnerTomcat8
  • webApplication:grettyRunnerJetty8
  • webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.akhikhl.gretty:gretty-runner:2.0.0  Confidence:Highest

jetty-continuation-7.6.16.v20140903.jar

Description:

 Asynchronous API

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-continuation\7.6.16.v20140903\2fa2a8e31ea230ebea348b7c6ac24b3c9597a0a\jetty-continuation-7.6.16.v20140903.jar
MD5: b87eb0643a3f62f4ad9e481cf25911db
SHA1: 02fa2a8e31ea230ebea348b7c6ac24b3c9597a0a
SHA256:c3f89142aee8a57838bd15e6fda356a2f58fe6e3c948c19e2715e4db9fb86d76
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty:jetty-continuation:7.6.16.v20140903  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:7.6.16.v20140903  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:7.6.16.v20140903  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-http-7.6.16.v20140903.jar

Description:

 Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-http\7.6.16.v20140903\ccd391b7b1a45c11fc9326f5df0e8ec103680a76\jetty-http-7.6.16.v20140903.jar
MD5: f639947f315c84628a1aa77fd067581b
SHA1: ccd391b7b1a45c11fc9326f5df0e8ec103680a76
SHA256:42650c37e967328c298631127afe4f7ca1ee9753e14f0504f147bf9513938a88
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty:jetty-http:7.6.16.v20140903  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:7.6.16.v20140903  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:7.6.16.v20140903  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-xml-7.6.16.v20140903.jar

Description:

 The jetty xml utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-xml\7.6.16.v20140903\f43ebd277867d138e90f9009f4c5ad8d2f2939fe\jetty-xml-7.6.16.v20140903.jar
MD5: d56f2bc35c4250da962314dcaf2d16c3
SHA1: f43ebd277867d138e90f9009f4c5ad8d2f2939fe
SHA256:9226012e8df10a1a127229bbd03f69112bdc088e5288b7d782f1d75fc13b7dd2
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty:jetty-xml:7.6.16.v20140903  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:7.6.16.v20140903  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:7.6.16.v20140903  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

org.apache.jasper.glassfish-2.1.0.v201110031002.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\org.apache.jasper.glassfish\2.1.0.v201110031002\d46a9228e8c5a842129b6c356767aadc577583c3\org.apache.jasper.glassfish-2.1.0.v201110031002.jar
MD5: 3ac764214aba065c9817000ab55564a5
SHA1: d46a9228e8c5a842129b6c356767aadc577583c3
SHA256:6d891486517ffb8816f0e7a6b7cc5bed5e98e9fafca5de63cd54f835c40a58ec
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty.orbit:org.apache.jasper.glassfish:2.1.0.v201110031002  Confidence:Highest
  • cpe: cpe:/a:jasper_project:jasper:2.1.0.v20111003  Confidence:Low  

org.apache.taglibs.standard.glassfish-1.2.0.v201112081803.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\org.apache.taglibs.standard.glassfish\1.2.0.v201112081803\2c4baa72af1d3aae3a1e029d4f8ca07498dabbe0\org.apache.taglibs.standard.glassfish-1.2.0.v201112081803.jar
MD5: c5da9cabe0bc86315f17b571d003e809
SHA1: 2c4baa72af1d3aae3a1e029d4f8ca07498dabbe0
SHA256:ab520590f861904dde8fa4e0b6e3a127d0578de8a95c3da551a987b664ed1658
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerJetty8
  • webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty.orbit:org.apache.taglibs.standard.glassfish:1.2.0.v201112081803  Confidence:Highest
  • cpe: cpe:/a:apache:standard_taglibs:1.2.0.v20111208  Confidence:Low  

CVE-2015-0254  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.

Vulnerable Software & Versions:

javax.servlet.jsp.jstl-1.2.0.v201105211821.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\javax.servlet.jsp.jstl\1.2.0.v201105211821\db594f1c8fc00d536f6d135bd7f8a9a99a6b8eea\javax.servlet.jsp.jstl-1.2.0.v201105211821.jar
MD5: 2b4e0a4eef12ee6b45a39f0447e31b40
SHA1: db594f1c8fc00d536f6d135bd7f8a9a99a6b8eea
SHA256:2b209fc156bbcfc5c4fce9ca552296eeeb67a4bf1472c413dc9fb617a58950ee
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerJetty9
  • webApplication:grettyRunnerJetty8
  • webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty.orbit:javax.servlet.jsp.jstl:1.2.0.v201105211821  Confidence:Highest

javax.servlet.jsp-2.1.0.v201105211820.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\javax.servlet.jsp\2.1.0.v201105211820\d50c66c936236b69938132d0de11aae64d6bd57e\javax.servlet.jsp-2.1.0.v201105211820.jar
MD5: 4156613a20ed0ccd1dcdd33a153862ef
SHA1: d50c66c936236b69938132d0de11aae64d6bd57e
SHA256:7cd3efc80110948465e42e05f938edbe6c3ff43dea19bc784b7b8c80fe7ef5a8
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty.orbit:javax.servlet.jsp:2.1.0.v201105211820  Confidence:Highest

javax.el-2.1.0.v201105211819.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\javax.el\2.1.0.v201105211819\884c2afadef64aca5f70649fc9ec4160d9861298\javax.el-2.1.0.v201105211819.jar
MD5: d1b1567b65336bf6bbeed5fed98dbc9c
SHA1: 884c2afadef64aca5f70649fc9ec4160d9861298
SHA256:3189097f14c46338ea609b6cc72fdf3f3b9ac84de8d30a3b97c1d09ee5c589cb
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty.orbit:javax.el:2.1.0.v201105211819  Confidence:Highest

com.sun.el-1.0.0.v201105211818.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\com.sun.el\1.0.0.v201105211818\abed5039def39db631082df52ce99820c6f502f2\com.sun.el-1.0.0.v201105211818.jar
MD5: 153f19a5f3b7fdfe5f42d3ae0adc592c
SHA1: abed5039def39db631082df52ce99820c6f502f2
SHA256:ebccf6286d7572c76b9dd5a5ce6fc3e459ad1e1e14cc62628a52924d2276de08
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty.orbit:com.sun.el:1.0.0.v201105211818  Confidence:Highest

org.eclipse.jdt.core-3.7.1.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\org.eclipse.jdt.core\3.7.1\5b79bfee0852ca685e33cab74496fa3400271b5b\org.eclipse.jdt.core-3.7.1.jar
MD5: 5dd60a35489d3a9cd4b14925592a0165
SHA1: 5b79bfee0852ca685e33cab74496fa3400271b5b
SHA256:8eab8f9352d1c8702c1d5b50da3f82bc0c7ec2df21656b2feb8dd1dcc8db7d8b
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerJetty8
  • webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty.orbit:org.eclipse.jdt.core:3.7.1  Confidence:Highest

javax.transaction-1.1.1.v201105210645.jar

Description:

 Provides open-source implementations of Sun specifications.

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\javax.transaction\1.1.1.v201105210645\68e61aa115bbff4e1e2ae4b16feb27d9f805eb6\javax.transaction-1.1.1.v201105210645.jar
MD5: 46452d9d9f059269d19c66ef7e673266
SHA1: 068e61aa115bbff4e1e2ae4b16feb27d9f805eb6
SHA256:bacda0bb509c8273d944cc963e80337460b61d4be15c90a2c0a973a8b5b6248c
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerJetty8
  • webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty.orbit:javax.transaction:1.1.1.v201105210645  Confidence:Highest
  • maven: org.apache.geronimo.specs:geronimo-jta_1.1_spec:1.1.1  Confidence:High

groovy-json-2.4.11.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.codehaus.groovy\groovy-json\2.4.11\98b01ddd7811e27b8bb7900e3ea029d86f243e10\groovy-json-2.4.11.jar
MD5: f431cbf60ec2ea37d19dd0ea3911de76
SHA1: 98b01ddd7811e27b8bb7900e3ea029d86f243e10
SHA256:d3cd1473758b5f0743342aec7e97277f0b5bf63729f05d4d95ed74c0d8c3435b
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerJetty93
  • webApplication:grettyRunnerJetty9
  • webApplication:grettyRunnerJetty94
  • webApplication:grettyRunnerTomcat7
  • webApplication:grettyRunnerTomcat8
  • webApplication:grettyRunnerJetty8
  • webApplication:grettyRunnerJetty7
  • webApplication:grettyStarter

Identifiers

CVE-2016-6497  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 7PK - Security Features

main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods.

Vulnerable Software & Versions:

groovy-2.4.11.jar

Description:

 Groovy Runtime

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.codehaus.groovy\groovy\2.4.11\52a60df8b4cbfe39469171a42ca77a3e4eb4e737\groovy-2.4.11.jar
MD5: 7d1c9ee7597518ca58c188d99c637518
SHA1: 52a60df8b4cbfe39469171a42ca77a3e4eb4e737
SHA256:acdb62d3a14297568053a420cd02238c69b48d52492d9c108ea3fda8a2fa3f19
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerJetty93
  • webApplication:grettyRunnerJetty9
  • webApplication:grettyRunnerJetty94
  • webApplication:grettyRunnerTomcat7
  • webApplication:grettyRunnerTomcat8
  • webApplication:grettyRunnerJetty8
  • webApplication:grettyRunnerJetty7
  • webApplication:grettyStarter

Identifiers

commons-cli-1.2.jar

Description:

 
    Commons CLI provides a simple API for presenting, processing and validating a command line interface.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\commons-cli\commons-cli\1.2\2bf96b7aa8b611c177d329452af1dc933e14501c\commons-cli-1.2.jar
MD5: bfdcae1ff93f0c07d733f03bdce28c9e
SHA1: 2bf96b7aa8b611c177d329452af1dc933e14501c
SHA256:e7cd8951956d349b568b7ccfd4f5b2529a8c113e67c32b028f52ffda371259d9
Referenced In Projects/Scopes:
  • webApplication:grettyRunnerJetty93
  • webApplication:grettyRunnerJetty9
  • webApplication:grettyRunnerJetty94
  • webApplication:grettyRunnerTomcat7
  • webApplication:grettyRunnerTomcat8
  • webApplication:grettyRunnerJetty8
  • webApplication:grettyRunnerJetty7
  • webApplication:grettyStarter

Identifiers

  • maven: commons-cli:commons-cli:1.2  Confidence:Highest

commons-io-2.4.jar

Description:

 
The Commons IO library contains utility classes, stream implementations, file filters, 
file comparators, endian transformation classes, and much more.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\commons-io\commons-io\2.4\b1b6ea3b7e4aa4f492509a4952029cd8e48019ad\commons-io-2.4.jar
MD5: 7f97854dc04c119d461fed14f5d8bb96
SHA1: b1b6ea3b7e4aa4f492509a4952029cd8e48019ad
SHA256:cc6a41dc3eaacc9e440a6bd0d2890b20d36b4ee408fe2d67122f328bb6e01581
Referenced In Projects/Scopes:
  • webApplication:grettyRunnerJetty93
  • webApplication:grettyRunnerJetty9
  • webApplication:grettyRunnerJetty94
  • webApplication:grettyRunnerTomcat7
  • webApplication:grettyRunnerTomcat8
  • webApplication:grettyRunnerJetty8
  • webApplication:grettyRunnerJetty7
  • webApplication:grettyStarter

Identifiers

  • maven: commons-io:commons-io:2.4  Confidence:Highest

logback-classic-1.1.3.jar

Description:

 logback-classic module

License:

http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\ch.qos.logback\logback-classic\1.1.3\d90276fff414f06cb375f2057f6778cd63c6082f\logback-classic-1.1.3.jar
MD5: 19ec751a4fe907ddb204dff93103acbb
SHA1: d90276fff414f06cb375f2057f6778cd63c6082f
SHA256:98c3f18f5d0d642cd5f327cc724566cd19649626c7d88f70143bd704c94157d5
Referenced In Projects/Scopes:
  • webApplication:grettyRunnerJetty93
  • webApplication:grettyRunnerJetty9
  • webApplication:grettyRunnerJetty94
  • webApplication:grettyRunnerTomcat7
  • webApplication:grettyRunnerTomcat8
  • webApplication:grettyRunnerJetty8
  • webApplication:grettyRunnerJetty7
  • webApplication:grettyStarter

Identifiers

  • maven: ch.qos.logback:logback-classic:1.1.3  Confidence:Highest
  • cpe: cpe:/a:logback:logback:1.1.3  Confidence:Low  

CVE-2017-5929  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.

Vulnerable Software & Versions:

jetty-io-7.6.16.v20140903.jar

Description:

 Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-io\7.6.16.v20140903\91d730b1874f40ea0fd081826958d5f041d5a65e\jetty-io-7.6.16.v20140903.jar
MD5: 11ba69a18d19b80b1ad766580dde7e91
SHA1: 91d730b1874f40ea0fd081826958d5f041d5a65e
SHA256:6d3c87875bc4cb2ecef401c5c3040a5ff9615eaa75b03f2a911d2a68aeae812d
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty:jetty-io:7.6.16.v20140903  Confidence:Highest

jetty-util-7.6.16.v20140903.jar

Description:

 Utility classes for Jetty

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-util\7.6.16.v20140903\51d2d89bda3ff0da7d405c65589da6ed97f81541\jetty-util-7.6.16.v20140903.jar
MD5: 634bca64e797f12a32353906b880675d
SHA1: 51d2d89bda3ff0da7d405c65589da6ed97f81541
SHA256:3968b4b309d505489804a6570f74df7274e07972615d2f5be808d80807e2b33a
Referenced In Project/Scope:webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty:jetty-util:7.6.16.v20140903  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:7.6.16.v20140903  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:7.6.16.v20140903  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

javax.mail.glassfish-1.4.1.v201005082020.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\javax.mail.glassfish\1.4.1.v201005082020\b707c39fc080529c4a9ffc1df4eac58421133aaf\javax.mail.glassfish-1.4.1.v201005082020.jar
MD5: 4338c1dd7b00b31633ca1067d0685255
SHA1: b707c39fc080529c4a9ffc1df4eac58421133aaf
SHA256:5de5893eb05ebfc397884f5357c274876ea6d05adbc3de7db5d4e4355a23d652
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerJetty8
  • webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty.orbit:javax.mail.glassfish:1.4.1.v201005082020  Confidence:Highest

logback-core-1.1.3.jar

Description:

 logback-core module

License:

http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\ch.qos.logback\logback-core\1.1.3\e3c02049f2dbbc764681b40094ecf0dcbc99b157\logback-core-1.1.3.jar
MD5: 94975ef44aa05c5067563875a783351e
SHA1: e3c02049f2dbbc764681b40094ecf0dcbc99b157
SHA256:47c0fd342995d3315b8faccacc324b2a76143b27c430d4b2d6a29eabc31f5c14
Referenced In Projects/Scopes:
  • webApplication:grettyRunnerJetty93
  • webApplication:grettyRunnerJetty9
  • webApplication:grettyRunnerJetty94
  • webApplication:grettyRunnerTomcat7
  • webApplication:grettyRunnerTomcat8
  • webApplication:grettyRunnerJetty8
  • webApplication:grettyRunnerJetty7
  • webApplication:grettyStarter

Identifiers

  • cpe: cpe:/a:logback:logback:1.1.3  Confidence:Low  
  • maven: ch.qos.logback:logback-core:1.1.3  Confidence:Highest

CVE-2017-5929  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.

Vulnerable Software & Versions:

slf4j-api-1.7.7.jar

Description:

 The slf4j API

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.slf4j\slf4j-api\1.7.7\2b8019b6249bb05d81d3a3094e468753e2b21311\slf4j-api-1.7.7.jar
MD5: ca4280bf93d64367723ae5c8d42dd0b9
SHA1: 2b8019b6249bb05d81d3a3094e468753e2b21311
SHA256:69980c038ca1b131926561591617d9c25fabfc7b29828af91597ca8570cf35fe
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerJetty93
  • webApplication:grettyRunnerJetty9
  • webApplication:grettyRunnerJetty94
  • webApplication:grettyRunnerJetty8
  • webApplication:grettyRunnerJetty7
  • webApplication:grettyStarter

Identifiers

  • cpe: cpe:/a:slf4j:slf4j:1.7.7  Confidence:Low  
  • maven: org.slf4j:slf4j-api:1.7.7  Confidence:Highest

javax.activation-1.1.0.v201105071233.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\javax.activation\1.1.0.v201105071233\b394a9fbf664ca835452b3ced452710bcf79fd81\javax.activation-1.1.0.v201105071233.jar
MD5: 1402e9e48aa8bd79196b9a509be492ea
SHA1: b394a9fbf664ca835452b3ced452710bcf79fd81
SHA256:5e18b1f0ec47d980f199eb7ee40acdc068c96f754f75040c0f129fcfa7724f06
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerJetty8
  • webApplication:grettyRunnerJetty7

Identifiers

  • maven: org.eclipse.jetty.orbit:javax.activation:1.1.0.v201105071233  Confidence:Highest

gretty-runner-jetty8-2.0.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.akhikhl.gretty\gretty-runner-jetty8\2.0.0\f50ceb259171d23cc8d4ec088a8218b853ff54ea\gretty-runner-jetty8-2.0.0.jar
MD5: a332230c2a8acc5007a693aab6c2b95c
SHA1: f50ceb259171d23cc8d4ec088a8218b853ff54ea
SHA256:d7344a17de2f12c802e1f2b9bbe9ad77dfa703b8a43e33d04369fc472a0a2843
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • cpe: cpe:/a:jetty:jetty:2.0.0  Confidence:Low  
  • maven: org.akhikhl.gretty:gretty-runner-jetty8:2.0.0  Confidence:Highest

javax.servlet-api-3.0.1.jar

Description:

 Java.net - The Source for Java Technology Collaboration

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\javax.servlet\javax.servlet-api\3.0.1\6bf0ebb7efd993e222fc1112377b5e92a13b38dd\javax.servlet-api-3.0.1.jar
MD5: 3ef236ac4c24850cd54abff60be25f35
SHA1: 6bf0ebb7efd993e222fc1112377b5e92a13b38dd
SHA256:377d8bde87ac6bc7f83f27df8e02456d5870bb78c832dac656ceacc28b016e56
Referenced In Projects/Scopes:
  • webApplication:grettyRunnerTomcat7
  • webApplication:grettyRunnerJetty8

Identifiers

  • maven: javax.servlet:javax.servlet-api:3.0.1  Confidence:Highest

jetty-annotations-8.1.8.v20121106.jar

Description:

 Annotation support for deploying servlets in jetty.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-annotations\8.1.8.v20121106\89f55079b10d04d4fd161dc980e93dc8f982f39\jetty-annotations-8.1.8.v20121106.jar
MD5: 9d3bbeb150f8de26063bec410ae1a210
SHA1: 089f55079b10d04d4fd161dc980e93dc8f982f39
SHA256:9e7f871b277be490b70f566ef590f134c266261af624e0594f27d7b7840bce5a
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • cpe: cpe:/a:jetty:jetty:8.1.8.v20121106  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:8.1.8.v20121106  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-annotations:8.1.8.v20121106  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-plus-8.1.8.v20121106.jar

Description:

 Jetty JavaEE style services

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-plus\8.1.8.v20121106\6320b83757bbf8c7d7d499b1ca11921f0a06ba7f\jetty-plus-8.1.8.v20121106.jar
MD5: 6b01374056b975377bcc497901ce67b2
SHA1: 6320b83757bbf8c7d7d499b1ca11921f0a06ba7f
SHA256:24df6afb7e79378c5d8d330537837a60c456f4c445ad40c9d25b8629b2c1e28a
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • cpe: cpe:/a:jetty:jetty:8.1.8.v20121106  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:8.1.8.v20121106  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-plus:8.1.8.v20121106  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-webapp-8.1.8.v20121106.jar

Description:

 Jetty web application support

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-webapp\8.1.8.v20121106\5beadb7635372ed38c543dd82e2e270a409b1ab8\jetty-webapp-8.1.8.v20121106.jar
MD5: e6364fce0b6a5d192d33e13fa1f813b1
SHA1: 5beadb7635372ed38c543dd82e2e270a409b1ab8
SHA256:1760c5ebbcbdaa888c86a0722edf147a840ec4df1743e18026afe0012f8bcb33
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • cpe: cpe:/a:jetty:jetty:8.1.8.v20121106  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-webapp:8.1.8.v20121106  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:8.1.8.v20121106  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-servlet-8.1.8.v20121106.jar

Description:

 Jetty Servlet Container

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-servlet\8.1.8.v20121106\285ea47746e9ab988a8291ea9fd6545b537e0ce9\jetty-servlet-8.1.8.v20121106.jar
MD5: 9b940e35a8b798044109fdf38fc429da
SHA1: 285ea47746e9ab988a8291ea9fd6545b537e0ce9
SHA256:cc85198de9184ec9eb07835a2b4dc63c4d36ba41be324d11c2e80330fa79b1bb
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • cpe: cpe:/a:jetty:jetty:8.1.8.v20121106  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:8.1.8.v20121106  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-servlet:8.1.8.v20121106  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-security-8.1.8.v20121106.jar

Description:

 Jetty security infrastructure

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-security\8.1.8.v20121106\b3efb0450900cf30932c9acf6e47deb936fac2d7\jetty-security-8.1.8.v20121106.jar
MD5: 85c082126a6ed9498c730379fefb8086
SHA1: b3efb0450900cf30932c9acf6e47deb936fac2d7
SHA256:bb7ef98cbfbee544d1db129a9cdc364c073f969c1ed8189cdf1da3a3c443697b
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • cpe: cpe:/a:jetty:jetty:8.1.8.v20121106  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-security:8.1.8.v20121106  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:8.1.8.v20121106  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-jndi-8.1.8.v20121106.jar

Description:

 JNDI spi impl for java namespace.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-jndi\8.1.8.v20121106\240d5af2e9b3ed3b24567f18cf2cfb7ec4d7fff7\jetty-jndi-8.1.8.v20121106.jar
MD5: 053a82d1afccb7f51f55d908719c2ba9
SHA1: 240d5af2e9b3ed3b24567f18cf2cfb7ec4d7fff7
SHA256:d205070e9396ebaf6732bfa88f2c1a3dc6ca70b9aaa88a50f66b3ca87f8d5aca
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • cpe: cpe:/a:jetty:jetty:8.1.8.v20121106  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:8.1.8.v20121106  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-jndi:8.1.8.v20121106  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-server-8.1.8.v20121106.jar

Description:

 The core jetty server artifact.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-server\8.1.8.v20121106\61e7c2d0cb168d82696f8fabb8c4da834d736e78\jetty-server-8.1.8.v20121106.jar
MD5: ed9205fd6eeef6591261081773cd05dc
SHA1: 61e7c2d0cb168d82696f8fabb8c4da834d736e78
SHA256:c9147d3edc7c01d6998fa491ce2f1a16fbc4326f9e4f4807c149e922a77a2b38
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • cpe: cpe:/a:jetty:jetty:8.1.8.v20121106  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:8.1.8.v20121106  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-server:8.1.8.v20121106  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-jsp-8.1.8.v20121106.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-jsp\8.1.8.v20121106\4a9f4354a0701b6347b10791fe3975a2bc07beb5\jetty-jsp-8.1.8.v20121106.jar
MD5: 43c64430a72912afc95fb731e366cda8
SHA1: 4a9f4354a0701b6347b10791fe3975a2bc07beb5
SHA256:9195094545d78cf9ea37b207f46bcf088b8d858b772226f339c6e4c939fd6b50
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • cpe: cpe:/a:jetty:jetty:8.1.8.v20121106  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-jsp:8.1.8.v20121106  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:8.1.8.v20121106  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-continuation-8.1.8.v20121106.jar

Description:

 Asynchronous API

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-continuation\8.1.8.v20121106\a237d7057c35ae73b821b0f601746dc9a578c361\jetty-continuation-8.1.8.v20121106.jar
MD5: d417b25f424b99618f5ed3baa47cdb73
SHA1: a237d7057c35ae73b821b0f601746dc9a578c361
SHA256:f010a29ceca72526b4304b63a0e472166e6d746df816dfca77e5a9bf79b55445
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • cpe: cpe:/a:jetty:jetty:8.1.8.v20121106  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:8.1.8.v20121106  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-continuation:8.1.8.v20121106  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-http-8.1.8.v20121106.jar

Description:

 Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-http\8.1.8.v20121106\5f3f0a4b1dbc4a36f97649c9fee940134fe584ca\jetty-http-8.1.8.v20121106.jar
MD5: ab0b191118903ecbc1c6c1ec56e262e0
SHA1: 5f3f0a4b1dbc4a36f97649c9fee940134fe584ca
SHA256:22726cfbcdf8ff6889e8e35e847dbb92a17cc6ee70fc65000abac09270632812
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • cpe: cpe:/a:jetty:jetty:8.1.8.v20121106  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:8.1.8.v20121106  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-http:8.1.8.v20121106  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-xml-8.1.8.v20121106.jar

Description:

 The jetty xml utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-xml\8.1.8.v20121106\1f03630eea10f58899442af3626ac0aba33d7ea2\jetty-xml-8.1.8.v20121106.jar
MD5: 1cc4c21e3bb25c087e35b8654a54815e
SHA1: 1f03630eea10f58899442af3626ac0aba33d7ea2
SHA256:d9d1b1f7ba931dd4f1b9c829a8a4cbb9ef4789cd82a905cafd335a0e4845d4ea
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • cpe: cpe:/a:jetty:jetty:8.1.8.v20121106  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:8.1.8.v20121106  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-xml:8.1.8.v20121106  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

org.apache.jasper.glassfish-2.2.2.v201112011158.jar

Description:

 JSP 2.2 reference implementation from Glassfish

License:

https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\org.apache.jasper.glassfish\2.2.2.v201112011158\3945afe6a042228a92da320aec3fa1bc1308183b\org.apache.jasper.glassfish-2.2.2.v201112011158.jar
MD5: 60ec17fa0c9cda815a3c32f17cdf143a
SHA1: 3945afe6a042228a92da320aec3fa1bc1308183b
SHA256:05f97aa1ad604834f3382a507ed7cf0bc47d02001b828ec8237f2b41399395d2
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • maven: org.eclipse.jetty.orbit:org.apache.jasper.glassfish:2.2.2.v201112011158  Confidence:Highest
  • cpe: cpe:/a:jasper_project:jasper:2.2.2.v20111201  Confidence:Low  

javax.servlet.jsp-2.2.0.v201112011158.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\javax.servlet.jsp\2.2.0.v201112011158\80b4ffe7c26ee97313bea2ddda5835fd38812ee4\javax.servlet.jsp-2.2.0.v201112011158.jar
MD5: d2b89c19274e3b5b581b2b5b3b67cf6f
SHA1: 80b4ffe7c26ee97313bea2ddda5835fd38812ee4
SHA256:e86e1ca2af19a65d6c99498f3927a65ddf09b66fcb308f54bb21af0ce7d96181
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • maven: org.eclipse.jetty.orbit:javax.servlet.jsp:2.2.0.v201112011158  Confidence:Highest

javax.el-2.2.0.v201108011116.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\javax.el\2.2.0.v201108011116\ec8944c11833d84b0283a5afbad0fafb264f86a9\javax.el-2.2.0.v201108011116.jar
MD5: 4d6443a069371e8eb53437bf85bd9cb5
SHA1: ec8944c11833d84b0283a5afbad0fafb264f86a9
SHA256:7cd75df35e94229dbb000a2d927375cdc4e4a57a371dacb1a682981cb0850d13
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • maven: org.eclipse.jetty.orbit:javax.el:2.2.0.v201108011116  Confidence:Highest

com.sun.el-2.2.0.v201108011116.jar

Description:

 Javax El RI el-impl-2.2.1-b05

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\com.sun.el\2.2.0.v201108011116\15f7774c3fa514835a371f47c152317704ea411a\com.sun.el-2.2.0.v201108011116.jar
MD5: 1fa5a8fc3bd0c72bd6d89b0debb266d1
SHA1: 15f7774c3fa514835a371f47c152317704ea411a
SHA256:9ed3ae5602d6f79e3338c351b2c6d5b3440972fb560fcc6be318aa37ad5903d4
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • maven: org.eclipse.jetty.orbit:com.sun.el:2.2.0.v201108011116  Confidence:Highest

javax.annotation-1.1.0.v201108011116.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\javax.annotation\1.1.0.v201108011116\964b4bd5e4f40d6497fd302e2e66c4a4257138b3\javax.annotation-1.1.0.v201108011116.jar
MD5: c5032dde2da756d24c7c9b31b2103f66
SHA1: 964b4bd5e4f40d6497fd302e2e66c4a4257138b3
SHA256:7e59cba703e14f7fd0b64a8524a7c962c48d734cefd89445572526e307cd1c99
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • maven: org.eclipse.jetty.orbit:javax.annotation:1.1.0.v201108011116  Confidence:Highest

org.objectweb.asm-3.1.0.v200803061910.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\org.objectweb.asm\3.1.0.v200803061910\bf952ae43613f460f11ce5f8727cc9e4a7f8d33d\org.objectweb.asm-3.1.0.v200803061910.jar
MD5: 784732c0cb71da69823cce14af1d13c8
SHA1: bf952ae43613f460f11ce5f8727cc9e4a7f8d33d
SHA256:3af05a9bb4a36fa7c2a103354f981e7e0e1a938d712d309c2eacd27f17b0249d
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • maven: org.eclipse.jetty.orbit:org.objectweb.asm:3.1.0.v200803061910  Confidence:Highest

jetty-io-8.1.8.v20121106.jar

Description:

 Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-io\8.1.8.v20121106\b413448bb6d474b82bb3d988604d3df988a689e3\jetty-io-8.1.8.v20121106.jar
MD5: 5c6516d8fa2393ce7be41ee1b8f3fd16
SHA1: b413448bb6d474b82bb3d988604d3df988a689e3
SHA256:07da62062b3edf426bcba5e0ae56d1721ab75abd8b7cabb96f105e93337656fb
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • maven: org.eclipse.jetty:jetty-io:8.1.8.v20121106  Confidence:Highest

jetty-util-8.1.8.v20121106.jar

Description:

 Utility classes for Jetty

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-util\8.1.8.v20121106\3174e8d53033e3c4d350eba3112efdc170b40dc\jetty-util-8.1.8.v20121106.jar
MD5: c2371b0d561c8dfa1f07cefe7b7789af
SHA1: 03174e8d53033e3c4d350eba3112efdc170b40dc
SHA256:42a87b873ac1f4a4adcbf1617b74a046f9c8037fe4cbb6cefa162665ac3ab8e8
Referenced In Project/Scope:webApplication:grettyRunnerJetty8

Identifiers

  • cpe: cpe:/a:jetty:jetty:8.1.8.v20121106  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:8.1.8.v20121106  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-util:8.1.8.v20121106  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

gretty-runner-jetty9-2.0.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.akhikhl.gretty\gretty-runner-jetty9\2.0.0\d5765d2a96b10de69bcee02aec2486da13722e15\gretty-runner-jetty9-2.0.0.jar
MD5: d15f92cc833c79b4ccc60449dac0bc14
SHA1: d5765d2a96b10de69bcee02aec2486da13722e15
SHA256:e1c05865d0aa2636263292f1500854cbffb8be2595e8f6c3fbf7897a0e05060e
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • cpe: cpe:/a:jetty:jetty:2.0.0  Confidence:Low  
  • maven: org.akhikhl.gretty:gretty-runner-jetty9:2.0.0  Confidence:Highest

javax-websocket-server-impl-9.2.22.v20170606.jar

Description:

 javax.websocket.server Implementation

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\javax-websocket-server-impl\9.2.22.v20170606\585c9c98840de232567001b0b942b86d7fb03b7d\javax-websocket-server-impl-9.2.22.v20170606.jar
MD5: 93cbdf20cea292ab8f10fbace393fe25
SHA1: 585c9c98840de232567001b0b942b86d7fb03b7d
SHA256:03fc6623ad62bb0efc8a014ffb97af4bec4ccc689ee0b11b82ef028de71b446b
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: org.eclipse.jetty.websocket:javax-websocket-server-impl:9.2.22.v20170606  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-annotations-9.2.22.v20170606.jar

Description:

 Annotation support for deploying servlets in jetty.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-annotations\9.2.22.v20170606\11f0e1247e3e15bb0ddd76cf7ba401898b4122f2\jetty-annotations-9.2.22.v20170606.jar
MD5: f3e65b0647ce6ef17ed28583cba26d32
SHA1: 11f0e1247e3e15bb0ddd76cf7ba401898b4122f2
SHA256:699830afc9c0e19a45dfa710d7e011e04dd81433b06ca6c83589d7f375290164
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-annotations:9.2.22.v20170606  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-plus-9.2.22.v20170606.jar

Description:

 Jetty JavaEE style services

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-plus\9.2.22.v20170606\405532505073be1c3a939c472b3437ffbba1d004\jetty-plus-9.2.22.v20170606.jar
MD5: 1a8ceb48905d6e8e267c8591672083c9
SHA1: 405532505073be1c3a939c472b3437ffbba1d004
SHA256:f9bd9afb13ba3748174aac6789a188d0b94510401eaf0b8d9bfb7ce981be3fb9
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-plus:9.2.22.v20170606  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-webapp-9.2.22.v20170606.jar

Description:

 Jetty web application support

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-webapp\9.2.22.v20170606\1b512e26860e651567a35abd12cfa3772bc61902\jetty-webapp-9.2.22.v20170606.jar
MD5: 944f48958cc3029a66e0865237ea5cc6
SHA1: 1b512e26860e651567a35abd12cfa3772bc61902
SHA256:6100c42cc82958c10c40db7a926ec1f60a67fc0a085afa38811fa77dca45b1a7
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-webapp:9.2.22.v20170606  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

websocket-server-9.2.22.v20170606.jar

Description:

 Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-server\9.2.22.v20170606\f62e43a84b2f99c142a3c4b50e4502f8495b7747\websocket-server-9.2.22.v20170606.jar
MD5: 9cb24fc20295014d061742a9b043b161
SHA1: f62e43a84b2f99c142a3c4b50e4502f8495b7747
SHA256:a70a25b1ba88aa5247a99aa67220b6583e65928b08bedfbfa9fd9aa5af0e23ec
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: org.eclipse.jetty.websocket:websocket-server:9.2.22.v20170606  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-servlet-9.2.22.v20170606.jar

Description:

 Jetty Servlet Container

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-servlet\9.2.22.v20170606\db0b1b9965a7627e376f17af311cf01c18d20a2f\jetty-servlet-9.2.22.v20170606.jar
MD5: de0b2ec0a5aeda9d9c3f30d8009754ba
SHA1: db0b1b9965a7627e376f17af311cf01c18d20a2f
SHA256:9fe4551bf299f656d36d3b0085514336cb7b681fdb63ccff498fa52959419588
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: org.eclipse.jetty:jetty-servlet:9.2.22.v20170606  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-security-9.2.22.v20170606.jar

Description:

 Jetty security infrastructure

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-security\9.2.22.v20170606\489ec37fcbe2e7ed5d36f010cdc197c42e1181\jetty-security-9.2.22.v20170606.jar
MD5: 84a61770bf6e3551cb94382321e18612
SHA1: 00489ec37fcbe2e7ed5d36f010cdc197c42e1181
SHA256:79efe0c23455b77259f6f3a925bfa0f758ea0f50d13cfc632ac9bbd39563fc5d
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: org.eclipse.jetty:jetty-security:9.2.22.v20170606  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-server-9.2.22.v20170606.jar

Description:

 The core jetty server artifact.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-server\9.2.22.v20170606\f7d36a5ee7e68a7bbd0f404af90b4c1269c65c1\jetty-server-9.2.22.v20170606.jar
MD5: 63870c71bf0a4b5a27af94283effc457
SHA1: 0f7d36a5ee7e68a7bbd0f404af90b4c1269c65c1
SHA256:0511ed658eac69d74c83a8d7b597d3e27053347dd887da6e81574f7fe7cfce46
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-server:9.2.22.v20170606  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-jsp-9.2.22.v20170606.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-jsp\9.2.22.v20170606\a906c7384eeaf0f33bf526a3143bc83c6b15a349\jetty-jsp-9.2.22.v20170606.jar
MD5: d3a96a9dcf5feaa403889cb20c108b78
SHA1: a906c7384eeaf0f33bf526a3143bc83c6b15a349
SHA256:fcf4bb8a304b2c81be6c7400be619ae1755ccdee1fe826e852db863cd8ffce46
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: org.eclipse.jetty:jetty-jsp:9.2.22.v20170606  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

websocket-servlet-9.2.22.v20170606.jar

Description:

 Websocket Servlet Interface

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-servlet\9.2.22.v20170606\2660da1535bcab7e7a330432e14ec35796038a98\websocket-servlet-9.2.22.v20170606.jar
MD5: 78f2caefa225c709f47e97cd53bd0564
SHA1: 2660da1535bcab7e7a330432e14ec35796038a98
SHA256:b790f26c1e5852e2a280496c897c40f8a8fd75993a83de46229ce705b6990795
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  
  • maven: org.eclipse.jetty.websocket:websocket-servlet:9.2.22.v20170606  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

asm-commons-5.0.3.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm-commons\5.0.3\a7111830132c7f87d08fe48cb0ca07630f8cb91c\asm-commons-5.0.3.jar
MD5: 49c4bd16df054f7b7376fcb80de5a225
SHA1: a7111830132c7f87d08fe48cb0ca07630f8cb91c
SHA256:18c1e092230233c9d29e46f21943d769bdb48130cc279e4b0e663f423948c2da
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerJetty93
  • webApplication:grettyRunnerJetty9
  • webApplication:grettyRunnerJetty94

Identifiers

  • maven: org.ow2.asm:asm-commons:5.0.3  Confidence:Highest

asm-tree-5.0.3.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm-tree\5.0.3\287749b48ba7162fb67c93a026d690b29f410bed\asm-tree-5.0.3.jar
MD5: 94abc9b0126e1ec2c12625dfce54e32e
SHA1: 287749b48ba7162fb67c93a026d690b29f410bed
SHA256:347a7a9400f9964e87c91d3980e48eebdc8d024bc3b36f7f22189c662853a51c
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerJetty93
  • webApplication:grettyRunnerJetty9
  • webApplication:grettyRunnerJetty94

Identifiers

  • maven: org.ow2.asm:asm-tree:5.0.3  Confidence:Highest

asm-5.0.3.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm\5.0.3\dcc2193db20e19e1feca8b1240dbbc4e190824fa\asm-5.0.3.jar
MD5: ccebee99fb8cdd50e1967680a2eac0ba
SHA1: dcc2193db20e19e1feca8b1240dbbc4e190824fa
SHA256:71c4f78e437b8fdcd9cc0dfd2abea8c089eb677005a6a5cff320206cc52b46cc
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerJetty93
  • webApplication:grettyRunnerJetty9
  • webApplication:grettyRunnerJetty94

Identifiers

  • maven: org.ow2.asm:asm:5.0.3  Confidence:Highest

jetty-http-9.2.22.v20170606.jar

Description:

 Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-http\9.2.22.v20170606\ba2028c83e4d54a86ee8d765659d56058b205da8\jetty-http-9.2.22.v20170606.jar
MD5: 53772f65a4f6a5fa96a5cda55c448363
SHA1: ba2028c83e4d54a86ee8d765659d56058b205da8
SHA256:78e7a7381037abe4a739387ea55d977a3e53c31d48b97195740ff2e2edf35303
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: org.eclipse.jetty:jetty-http:9.2.22.v20170606  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

javax-websocket-client-impl-9.2.22.v20170606.jar

Description:

 javax.websocket.client Implementation

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\javax-websocket-client-impl\9.2.22.v20170606\3fe47c51cab319446f623b6adf031f56b28b9873\javax-websocket-client-impl-9.2.22.v20170606.jar
MD5: 29a66dc34bcacdba80d622286ee3bb1d
SHA1: 3fe47c51cab319446f623b6adf031f56b28b9873
SHA256:7460d3e26643418b047ff976784e7357c6df781dfd123e15c41362699b989940
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • maven: org.eclipse.jetty.websocket:javax-websocket-client-impl:9.2.22.v20170606  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

websocket-client-9.2.22.v20170606.jar

Description:

 Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-client\9.2.22.v20170606\37d19ba602e78c38c7cafb209ac3477c98e317ee\websocket-client-9.2.22.v20170606.jar
MD5: e4c824c7076a55cd1d799110b7acba16
SHA1: 37d19ba602e78c38c7cafb209ac3477c98e317ee
SHA256:000f3041e64f9c673f9714557299913d15eb8906aeb852f5c45ed1ad3dc38c6c
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • maven: org.eclipse.jetty.websocket:websocket-client:9.2.22.v20170606  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

websocket-common-9.2.22.v20170606.jar

Description:

 Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-common\9.2.22.v20170606\80390f15794c9b7411ff9440f045e9776910fc5a\websocket-common-9.2.22.v20170606.jar
MD5: 96ed95c2d3161a4bd4cf13336bc99996
SHA1: 80390f15794c9b7411ff9440f045e9776910fc5a
SHA256:fb27c102e1a811adfe555b8a102b185465fab4f487b8bc1428fd4523bbfa0f5a
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • maven: org.eclipse.jetty.websocket:websocket-common:9.2.22.v20170606  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-io-9.2.22.v20170606.jar

Description:

 Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-io\9.2.22.v20170606\4995c060104afeab9cedf9e4d0cfb1cacfeece8b\jetty-io-9.2.22.v20170606.jar
MD5: 083116d9dadfdf9e82ccd733e0332d5b
SHA1: 4995c060104afeab9cedf9e4d0cfb1cacfeece8b
SHA256:21e8797c0d1fca20509ee44cf3b013ae09c184dae1806e8995d844f857ca6799
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: org.eclipse.jetty:jetty-io:9.2.22.v20170606  Confidence:Highest

jetty-xml-9.2.22.v20170606.jar

Description:

 The jetty xml utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-xml\9.2.22.v20170606\3331ee02dcca4dd2f0a6bd864287b2a886e5e17e\jetty-xml-9.2.22.v20170606.jar
MD5: b74bfcca81a18d90946a6960bd902d31
SHA1: 3331ee02dcca4dd2f0a6bd864287b2a886e5e17e
SHA256:46df4c3fdb7ab77367c71d6af3cc59422b68ae9aefbd6231a32f8daafd7691c8
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-xml:9.2.22.v20170606  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-schemas-3.1.M0.jar

Description:

 Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.toolchain\jetty-schemas\3.1.M0\6179bafb6ed2eb029862356df6713078c7874f85\jetty-schemas-3.1.M0.jar
MD5: 163aba653172131b21223b87ce5abf29
SHA1: 6179bafb6ed2eb029862356df6713078c7874f85
SHA256:bb94452226bf103848614948c88f44d1057c2d9203d53affc1c9057a16223907
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: org.eclipse.jetty.toolchain:jetty-schemas:3.1.M0  Confidence:Highest

javax.servlet.jsp-2.3.2.jar

Description:

 Java.net - The Source for Java Technology Collaboration

License:

CDDL + GPLv2 with classpath exception: http://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.glassfish.web\javax.servlet.jsp\2.3.2\613f624102267b1397e845b3181a72273bd6f399\javax.servlet.jsp-2.3.2.jar
MD5: fa21e48138803802e3ea2293b79fda47
SHA1: 613f624102267b1397e845b3181a72273bd6f399
SHA256:197a9f8ed0b8c72a900e1dd3045ec03e0dcc33a2c9615eb0965bbf79df1cc460
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: org.glassfish.web:javax.servlet.jsp:2.3.2  Confidence:Highest
  • cpe: cpe:/a:oracle:jsp:2.3.2  Confidence:Low  

javax.servlet.jsp-api-2.3.1.jar

Description:

 Java.net - The Source for Java Technology Collaboration

License:

CDDL + GPLv2 with classpath exception: http://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\javax.servlet.jsp\javax.servlet.jsp-api\2.3.1\95c630902565feda8155eb32d46064ef348435fc\javax.servlet.jsp-api-2.3.1.jar
MD5: 2c407d9df1dc0ca76058ae1602e99f08
SHA1: 95c630902565feda8155eb32d46064ef348435fc
SHA256:b1306f5cc721e25e290d2b244af7bfb870a7e072bd32f17350712d1626a74f4b
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: javax.servlet.jsp:javax.servlet.jsp-api:2.3.1  Confidence:Highest
  • cpe: cpe:/a:oracle:jsp:2.3.1  Confidence:Low  

javax.servlet.jsp.jstl-1.2.2.jar

Description:

 Java.net - The Source for Java Technology Collaboration

License:

CDDL + GPLv2 with classpath exception: http://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.glassfish.web\javax.servlet.jsp.jstl\1.2.2\5b2e83ef42b4eef0a7e41d43bb1d4b835f59ac7a\javax.servlet.jsp.jstl-1.2.2.jar
MD5: a2c25f101d381eb966ea1b6237d8bdf3
SHA1: 5b2e83ef42b4eef0a7e41d43bb1d4b835f59ac7a
SHA256:50c513e8500dc55e813fe282f84f7b4fddbe32f44bc08228e7409f9362e8ca18
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: org.glassfish.web:javax.servlet.jsp.jstl:1.2.2  Confidence:Highest

javax.el-3.0.0.jar

Description:

 Expression Language 3.0 API and Implementation

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.glassfish\javax.el\3.0.0\dd532526e7c8de48e40419e6af1183658a973379\javax.el-3.0.0.jar
MD5: 9b413b6b4c57f68cc3e8649f754153f5
SHA1: dd532526e7c8de48e40419e6af1183658a973379
SHA256:5ed77b9150c1cb6bdc1a195bb536eef6eb65f46f4412e26c24288690ea8033ec
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: org.glassfish:javax.el:3.0.0  Confidence:Highest

org.eclipse.jdt.core-3.8.2.v20130121.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.orbit\org.eclipse.jdt.core\3.8.2.v20130121\ebb04771ae21dec8682e4153e97404d9933a9c13\org.eclipse.jdt.core-3.8.2.v20130121.jar
MD5: bbcc2904953263282f55ebb3b8cfbc95
SHA1: ebb04771ae21dec8682e4153e97404d9933a9c13
SHA256:fc38504b81078d4a39e4f037bf635b9183a4e313d2d23b0f7be8a21f2ac8ab98
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: org.eclipse.jetty.orbit:org.eclipse.jdt.core:3.8.2.v20130121  Confidence:Highest

javax.annotation-api-1.2.jar

Description:

 Common Annotations for the JavaTM Platform API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\javax.annotation\javax.annotation-api\1.2\479c1e06db31c432330183f5cae684163f186146\javax.annotation-api-1.2.jar
MD5: 75fe320d2b3763bd6883ae1ede35e987
SHA1: 479c1e06db31c432330183f5cae684163f186146
SHA256:5909b396ca3a2be10d0eea32c74ef78d816e1b4ead21de1d78de1f890d033e04
Referenced In Projects/Scopes:
  • webApplication:grettyRunnerJetty93
  • webApplication:grettyRunnerJetty9
  • webApplication:grettyRunnerJetty94

Identifiers

  • maven: javax.annotation:javax.annotation-api:1.2  Confidence:Highest

jetty-jndi-9.2.22.v20170606.jar

Description:

 JNDI spi impl for java namespace.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-jndi\9.2.22.v20170606\493378f1f1af9d2b34d72d20ee4c7ffa68c29605\jetty-jndi-9.2.22.v20170606.jar
MD5: 4d45d4757ce14913889ff659029862d3
SHA1: 493378f1f1af9d2b34d72d20ee4c7ffa68c29605
SHA256:e245d05cfffba858a0d0d325e6a310bc0b55be49b87869c6b3cbbdc934b963df
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: org.eclipse.jetty:jetty-jndi:9.2.22.v20170606  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-util-9.2.22.v20170606.jar

Description:

 Utility classes for Jetty

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-util\9.2.22.v20170606\747d17f6cd662f87d5ab5e08b572a1f1ce85ccb9\jetty-util-9.2.22.v20170606.jar
MD5: 9c078eef99cee9321ee4d02e1c84647c
SHA1: 747d17f6cd662f87d5ab5e08b572a1f1ce85ccb9
SHA256:0feed515eff6da777b98dce080be39f0509a754b47f38b1991bf1784de3b1e01
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: org.eclipse.jetty:jetty-util:9.2.22.v20170606  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.2.22.v20170606  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.2.22.v20170606  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

websocket-api-9.2.22.v20170606.jar

Description:

 Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-api\9.2.22.v20170606\a6f40b35a92456bbf7ab7f20b458c369fccce06f\websocket-api-9.2.22.v20170606.jar
MD5: 36fc162b796404bfede1234166a5d9f2
SHA1: a6f40b35a92456bbf7ab7f20b458c369fccce06f
SHA256:cbfa23d84e0fd002d0472450e1599ff22c2b5ba503e13b7521fa27acefebb785
Referenced In Project/Scope:webApplication:grettyRunnerJetty9

Identifiers

  • maven: org.eclipse.jetty.websocket:websocket-api:9.2.22.v20170606  Confidence:Highest

gretty-runner-jetty93-2.0.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.akhikhl.gretty\gretty-runner-jetty93\2.0.0\8c10354d22d0e5c636f99eb1822739e9eb5b4817\gretty-runner-jetty93-2.0.0.jar
MD5: c52a9eb0d11b910334513ed0a74dc95c
SHA1: 8c10354d22d0e5c636f99eb1822739e9eb5b4817
SHA256:bc57e65382d516f2ceb3aa7ec9f8c99072af657d00e1d7ac5216a21161520457
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • cpe: cpe:/a:jetty:jetty:2.0.0  Confidence:Low  
  • maven: org.akhikhl.gretty:gretty-runner-jetty93:2.0.0  Confidence:Highest

javax-websocket-server-impl-9.3.20.v20170531.jar

Description:

 javax.websocket.server Implementation

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\javax-websocket-server-impl\9.3.20.v20170531\875d9564c9128ac644089f29987fa380a02db3d7\javax-websocket-server-impl-9.3.20.v20170531.jar
MD5: b725e077bcfd8bf2750adcd6bf123c4b
SHA1: 875d9564c9128ac644089f29987fa380a02db3d7
SHA256:2e6b57e096f9007fe36dfd620943a0da2ab3b5e2cde564edbec80e42c7e11b93
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • maven: org.eclipse.jetty.websocket:javax-websocket-server-impl:9.3.20.v20170531  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

jetty-annotations-9.3.20.v20170531.jar

Description:

 Annotation support for deploying servlets in jetty.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-annotations\9.3.20.v20170531\53876fc19d12a81ef3b362ff22f666dfa81f22e3\jetty-annotations-9.3.20.v20170531.jar
MD5: 689aa771a8c76364305ba6ceb292b079
SHA1: 53876fc19d12a81ef3b362ff22f666dfa81f22e3
SHA256:309cdd565968b21982706ddb28ced07de5042d9beea32740d1ad885ffb079e62
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-annotations:9.3.20.v20170531  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

jetty-plus-9.3.20.v20170531.jar

Description:

 Jetty JavaEE style services

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-plus\9.3.20.v20170531\986daac14b43331c0e93f115797849883f12a584\jetty-plus-9.3.20.v20170531.jar
MD5: d5992fdc052133da91cda93487bd36b4
SHA1: 986daac14b43331c0e93f115797849883f12a584
SHA256:4fdb31d99f72556468d18ff7baf7f268a67a0770bec67f87c474d87856e31f35
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-plus:9.3.20.v20170531  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

jetty-webapp-9.3.20.v20170531.jar

Description:

 Jetty web application support

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-webapp\9.3.20.v20170531\5b41166ce279c481216501d45c0d0f4f6da23c0b\jetty-webapp-9.3.20.v20170531.jar
MD5: 9003b754b85d1292390339dcf4db140e
SHA1: 5b41166ce279c481216501d45c0d0f4f6da23c0b
SHA256:e800d0b0035c8fb8a0f813c5dc7129fbfbe3808a256d85ce815dcfca43513ef1
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-webapp:9.3.20.v20170531  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

websocket-server-9.3.20.v20170531.jar

Description:

 Jetty module for Jetty :: Websocket :: Server

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-server\9.3.20.v20170531\bd02308e72e73f60f3b313e831b18a899c04658e\websocket-server-9.3.20.v20170531.jar
MD5: cb75277527409ba3530554a773c2dc95
SHA1: bd02308e72e73f60f3b313e831b18a899c04658e
SHA256:c75dca33532f9884e044dfa2e3772a23dc91bfdfe3db9676c2ccf03ca12eba7d
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • maven: org.eclipse.jetty.websocket:websocket-server:9.3.20.v20170531  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

jetty-servlet-9.3.20.v20170531.jar

Description:

 Jetty Servlet Container

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-servlet\9.3.20.v20170531\21a698f9d58d03cdf58bf2a40f93de58c2eab138\jetty-servlet-9.3.20.v20170531.jar
MD5: 0c67bc178e97f109a1fa4f550b82d1ff
SHA1: 21a698f9d58d03cdf58bf2a40f93de58c2eab138
SHA256:4df199455e956d6aecc144364240a871e9927cc29c6654416f97a2658cf0ebae
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-servlet:9.3.20.v20170531  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

jetty-security-9.3.20.v20170531.jar

Description:

 Jetty security infrastructure

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-security\9.3.20.v20170531\9e2ded957c05f447a0611fa64ca4ab5f7cc5aa65\jetty-security-9.3.20.v20170531.jar
MD5: 71ce7271d5f56f87302f4c56a9cd82b1
SHA1: 9e2ded957c05f447a0611fa64ca4ab5f7cc5aa65
SHA256:ef370740c45137aa3e6b6217dc03358d16566e5e6c00b0e1cb3ad777491846c3
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-security:9.3.20.v20170531  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

jetty-server-9.3.20.v20170531.jar

Description:

 The core jetty server artifact.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-server\9.3.20.v20170531\6a1523d44ebb527eed068a5c8bfd22edd6a20530\jetty-server-9.3.20.v20170531.jar
MD5: 72bf06940de1eff7f1779aacddb956ec
SHA1: 6a1523d44ebb527eed068a5c8bfd22edd6a20530
SHA256:7e6e87876b234ad4b7ef001d7df8670b2c620308c23e091fad2e9c3f142af8cb
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-server:9.3.20.v20170531  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

apache-jsp-9.3.20.v20170531.jar

Description:

 Jetty-specific ServletContainerInitializer for Jasper

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\apache-jsp\9.3.20.v20170531\dc1b4b9e4b9bd756f25eeba8c8de4b10942ce79f\apache-jsp-9.3.20.v20170531.jar
MD5: f2fbbd854f5e212b0ccd601a8a8df808
SHA1: dc1b4b9e4b9bd756f25eeba8c8de4b10942ce79f
SHA256:4d67c749aeafb7096d8e2d84f575743eb2757b54ea8fbb911c8c2bfc71b48d5f
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • maven: org.eclipse.jetty:apache-jsp:9.3.20.v20170531  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

websocket-servlet-9.3.20.v20170531.jar

Description:

 Websocket Servlet Interface

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-servlet\9.3.20.v20170531\57893242e63bffc425200e74651a913ac6d0ec58\websocket-servlet-9.3.20.v20170531.jar
MD5: a8b3bf064bdec7be1080bd96369dc4ec
SHA1: 57893242e63bffc425200e74651a913ac6d0ec58
SHA256:c07acd6c1d6bc28d7d84bee09e7b8349cd088572499c283d9233fc652588f311
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • maven: org.eclipse.jetty.websocket:websocket-servlet:9.3.20.v20170531  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

jetty-http-9.3.20.v20170531.jar

Description:

 Jetty module for Jetty :: Http Utility

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-http\9.3.20.v20170531\32f5fe22ed468a49df1ffcbb27c39c1b53f261aa\jetty-http-9.3.20.v20170531.jar
MD5: b9ea5e7cd37d187fed052609265f53d0
SHA1: 32f5fe22ed468a49df1ffcbb27c39c1b53f261aa
SHA256:14c5ce646e844d61069ffcb542ca77fbdcb244325b313d267c157ee47501d036
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • maven: org.eclipse.jetty:jetty-http:9.3.20.v20170531  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

javax-websocket-client-impl-9.3.20.v20170531.jar

Description:

 javax.websocket.client Implementation

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\javax-websocket-client-impl\9.3.20.v20170531\fa72d917ec90bdb8e312f01d4616bf7a776933de\javax-websocket-client-impl-9.3.20.v20170531.jar
MD5: e8d21e6052b75c590d7dc1c2aee8b40b
SHA1: fa72d917ec90bdb8e312f01d4616bf7a776933de
SHA256:673f3bff4b6f137eca7458d86545e0089f104eb97a456ab1fb8ad64decd5f4dc
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • maven: org.eclipse.jetty.websocket:javax-websocket-client-impl:9.3.20.v20170531  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

websocket-client-9.3.20.v20170531.jar

Description:

 Jetty module for Jetty :: Websocket :: Client

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-client\9.3.20.v20170531\6c9593d964eee588c3ecc4c7259873cc9f9be0fc\websocket-client-9.3.20.v20170531.jar
MD5: c6d47810c8af9f3a54da1cc70cceabf4
SHA1: 6c9593d964eee588c3ecc4c7259873cc9f9be0fc
SHA256:b2ffa5a2f4440c8c266b643aeea37571d7c9062f9bdb6d3fd7e4d91277b7522d
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • maven: org.eclipse.jetty.websocket:websocket-client:9.3.20.v20170531  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

websocket-common-9.3.20.v20170531.jar

Description:

 Jetty module for Jetty :: Websocket :: Common

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-common\9.3.20.v20170531\c6e21ead086899894d17789b111162fe682c1741\websocket-common-9.3.20.v20170531.jar
MD5: ffadb7dad9d4c2a7518628a6be929ab7
SHA1: c6e21ead086899894d17789b111162fe682c1741
SHA256:c6d42bbd4e78d03017b4b9cc50a63b87ea1ea705404e3e441643c97ade173f2e
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • maven: org.eclipse.jetty.websocket:websocket-common:9.3.20.v20170531  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

jetty-io-9.3.20.v20170531.jar

Description:

 Jetty module for Jetty :: IO Utility

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-io\9.3.20.v20170531\5b68e7761fcacefcf26ad9ab50943db65fda2c3d\jetty-io-9.3.20.v20170531.jar
MD5: b295516e5fed7cc46742a96200bf288c
SHA1: 5b68e7761fcacefcf26ad9ab50943db65fda2c3d
SHA256:3d85cc7c8b85f6ab251d0552b0df83c024bd191a48513a6e8c490ab78b8076aa
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • maven: org.eclipse.jetty:jetty-io:9.3.20.v20170531  Confidence:Highest

jetty-xml-9.3.20.v20170531.jar

Description:

 The jetty xml utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-xml\9.3.20.v20170531\9f3f158a6a4587c4283561a3a3fc5a187173becf\jetty-xml-9.3.20.v20170531.jar
MD5: d5a8bab27a3ac30cff5e878854844d28
SHA1: 9f3f158a6a4587c4283561a3a3fc5a187173becf
SHA256:81e7b3bdece43e7ead518f78ee3a92d360c2bb643f58eb8b4a252be540c04958
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-xml:9.3.20.v20170531  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

jetty-jndi-9.3.20.v20170531.jar

Description:

 JNDI spi impl for java namespace.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-jndi\9.3.20.v20170531\c1e7dbf96d6fc49c5c02db28c6e7924e0e64378\jetty-jndi-9.3.20.v20170531.jar
MD5: 38e9a5c93ad31b49b139e1172b1ce8bd
SHA1: 0c1e7dbf96d6fc49c5c02db28c6e7924e0e64378
SHA256:e7143cf140858d3a384c0918a814dea43b13ecaf8cc03fb8bfd255931bfb3aff
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-jndi:9.3.20.v20170531  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

jetty-util-9.3.20.v20170531.jar

Description:

 Utility classes for Jetty

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-util\9.3.20.v20170531\19ce4203809da37f8ea7a5632704fa71b6f0ccc2\jetty-util-9.3.20.v20170531.jar
MD5: 6718dc66c89f29b787298afe5b08a68f
SHA1: 19ce4203809da37f8ea7a5632704fa71b6f0ccc2
SHA256:c1ca51296a25dbe04dc0e569fdba1aeb25738798ea8c89dd40018804a5ee9464
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • maven: org.eclipse.jetty:jetty-util:9.3.20.v20170531  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.3.20  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.3.20.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

apache-jsp-8.0.33.jar

Description:

 A rebundling of Apache Tomcat Jasper to remove the tomcat server dependencies,       so that the JSP engine can be used by the Eclipse Jetty project.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.mortbay.jasper\apache-jsp\8.0.33\fff650d799582ca4ad4eb0e5ae39f603d5fc7919\apache-jsp-8.0.33.jar
MD5: e7adb51f63520f2d40f68f080056532f
SHA1: fff650d799582ca4ad4eb0e5ae39f603d5fc7919
SHA256:c02fb98a596cc52abcb4337d62a858c1af6124b45f10594a56e8fa66aa167e15
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • cpe: cpe:/a:jasper_project:jasper:8.0.33  Confidence:Low  
  • maven: org.mortbay.jasper:apache-jsp:8.0.33  Confidence:Highest
  • cpe: cpe:/a:apache_tomcat:apache_tomcat:8.0.33  Confidence:Low  

jetty-schemas-3.1.jar

Description:

 Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.toolchain\jetty-schemas\3.1\98bb827bdf254fd353bab0c53324c0848076b42c\jetty-schemas-3.1.jar
MD5: 72724fe34a75d0f4ab21a3869734faee
SHA1: 98bb827bdf254fd353bab0c53324c0848076b42c
SHA256:b58ddbe2025d80ada24409ae6e66fb2e56226538fa847d59c5df0ca7432b554e
Referenced In Projects/Scopes:
  • webApplication:grettyRunnerJetty93
  • webApplication:grettyRunnerJetty94

Identifiers

  • maven: org.eclipse.jetty.toolchain:jetty-schemas:3.1  Confidence:Highest

ecj-4.4.2.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jdt.core.compiler\ecj\4.4.2\71d67f5bab9465ec844596ef844f40902ae25392\ecj-4.4.2.jar
MD5: ee97ab38f390547839b950bb51bf5cb5
SHA1: 71d67f5bab9465ec844596ef844f40902ae25392
SHA256:2d6ee21554bbba012b6b0383be6e6587fa35370104e41c10a3eb47039fa3e6d1
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerJetty93
  • webApplication:grettyRunnerJetty94
  • webApplication:grettyRunnerTomcat7

Identifiers

  • maven: org.eclipse.jdt.core.compiler:ecj:4.4.2  Confidence:Highest

apache-el-8.0.33.jar

Description:

 A rebundling of Apache Tomcat Jasper to remove the tomcat server dependencies,       so that the JSP engine can be used by the Eclipse Jetty project.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.mortbay.jasper\apache-el\8.0.33\1b8fa2179b3937cada939317bb135815e79c0ac2\apache-el-8.0.33.jar
MD5: 06e24f293b60a619808c85fa83cec100
SHA1: 1b8fa2179b3937cada939317bb135815e79c0ac2
SHA256:ff518fb5d8d1fb1e83500bbf184ee870cfb6c2a77b85db48b6839d5d833fb3c7
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • maven: org.mortbay.jasper:apache-el:8.0.33  Confidence:Highest
  • cpe: cpe:/a:apache_tomcat:apache_tomcat:8.0.33  Confidence:Low  

websocket-api-9.3.20.v20170531.jar

Description:

 Jetty module for Jetty :: Websocket :: API

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-api\9.3.20.v20170531\c787782c5acbf916dc05277c98f5e9a76497eb32\websocket-api-9.3.20.v20170531.jar
MD5: e70cd52e9b48a30088c18c4ef1dc203f
SHA1: c787782c5acbf916dc05277c98f5e9a76497eb32
SHA256:d49e5e5c9c199c016c02a8d973cb72e9cfbb4cdaaa72f79cdf52cd8204487e56
Referenced In Project/Scope:webApplication:grettyRunnerJetty93

Identifiers

  • maven: org.eclipse.jetty.websocket:websocket-api:9.3.20.v20170531  Confidence:Highest

gretty-runner-jetty94-2.0.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.akhikhl.gretty\gretty-runner-jetty94\2.0.0\1350bdcf4a7bd2aba050c633cdb9f67de8c2f4ca\gretty-runner-jetty94-2.0.0.jar
MD5: f2c28a805f744c0478ebc03df15b8341
SHA1: 1350bdcf4a7bd2aba050c633cdb9f67de8c2f4ca
SHA256:7c731bd8a7028030b143d345ec854d4efef06abbbac34c6c62af06b17ab4a28a
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • cpe: cpe:/a:jetty:jetty:2.0.0  Confidence:Low  
  • maven: org.akhikhl.gretty:gretty-runner-jetty94:2.0.0  Confidence:Highest

javax-websocket-server-impl-9.4.6.v20170531.jar

Description:

 javax.websocket.server Implementation

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\javax-websocket-server-impl\9.4.6.v20170531\df28c3f3347bca9425811843196cebae3e66ce20\javax-websocket-server-impl-9.4.6.v20170531.jar
MD5: 39cf82d24855dd513819e33d16df0ed1
SHA1: df28c3f3347bca9425811843196cebae3e66ce20
SHA256:ddf4e0004a4c5df8c36b1724be34f3b67f63cc78c70c2e9ef0d07776ad9a0058
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  
  • maven: org.eclipse.jetty.websocket:javax-websocket-server-impl:9.4.6.v20170531  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

jetty-annotations-9.4.6.v20170531.jar

Description:

 Annotation support for deploying servlets in jetty.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-annotations\9.4.6.v20170531\6ccc93bb46c6014c7b383efeb14c1233ecb081d9\jetty-annotations-9.4.6.v20170531.jar
MD5: 92424061d0496d68b65bb0374a3af326
SHA1: 6ccc93bb46c6014c7b383efeb14c1233ecb081d9
SHA256:1b97231d8548720990f6ae364c95547f13b2dd28dd97841cf0518a201d5c3376
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-annotations:9.4.6.v20170531  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

jetty-plus-9.4.6.v20170531.jar

Description:

 Jetty JavaEE style services

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-plus\9.4.6.v20170531\8b6922eb2746ffe801457d400de9e99e21c491b5\jetty-plus-9.4.6.v20170531.jar
MD5: 233145a631d26da9f6a9e4d5200d8eff
SHA1: 8b6922eb2746ffe801457d400de9e99e21c491b5
SHA256:54fc0154d4d78a2b71744771055676d620904a57ec33560e9412a2e6e9771549
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-plus:9.4.6.v20170531  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

jetty-webapp-9.4.6.v20170531.jar

Description:

 Jetty web application support

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-webapp\9.4.6.v20170531\3e64618f88061ecd5538e6092f44e7410609e41c\jetty-webapp-9.4.6.v20170531.jar
MD5: 78645f21330a231b7a6f67838de4f648
SHA1: 3e64618f88061ecd5538e6092f44e7410609e41c
SHA256:67e15f3681ba136cca49710b67c45a3834fed247eab8959082e2d145831380ce
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • maven: org.eclipse.jetty:jetty-webapp:9.4.6.v20170531  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

websocket-server-9.4.6.v20170531.jar

Description:

 Jetty module for Jetty :: Websocket :: Server

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-server\9.4.6.v20170531\3df260d52e941345ad40498bb23307ec3e9c2683\websocket-server-9.4.6.v20170531.jar
MD5: f5591f58d8062397d4cd68235ab6589a
SHA1: 3df260d52e941345ad40498bb23307ec3e9c2683
SHA256:f0de5c3aa02b64dd7a6849d20e92172ff50366cea161dc1000165745845582b4
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • maven: org.eclipse.jetty.websocket:websocket-server:9.4.6.v20170531  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

jetty-servlet-9.4.6.v20170531.jar

Description:

 Jetty Servlet Container

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-servlet\9.4.6.v20170531\7d302b454433ee1b9799761c23d0323542f2525b\jetty-servlet-9.4.6.v20170531.jar
MD5: 98f79381146eac82224fc0ea3a556379
SHA1: 7d302b454433ee1b9799761c23d0323542f2525b
SHA256:2aa220dd22e5572af6e6922b259fdc35a4c7575d021bcc5c1d581b6d9096754d
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • maven: org.eclipse.jetty:jetty-servlet:9.4.6.v20170531  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

jetty-security-9.4.6.v20170531.jar

Description:

 Jetty security infrastructure

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-security\9.4.6.v20170531\6c4cdac99130d887abc6fa6645adcd033f763d02\jetty-security-9.4.6.v20170531.jar
MD5: 240426c9357bbfc02f9009ce5991a0fa
SHA1: 6c4cdac99130d887abc6fa6645adcd033f763d02
SHA256:d4f58c78bef67eb32086061b29b79808814f13e49790691c32e3fde2c7ad37ca
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • maven: org.eclipse.jetty:jetty-security:9.4.6.v20170531  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

jetty-server-9.4.6.v20170531.jar

Description:

 The core jetty server artifact.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-server\9.4.6.v20170531\afda653f00267fb8b501cafd1cf5cdd1615602a2\jetty-server-9.4.6.v20170531.jar
MD5: 14101a246583c869abb8942bdca60193
SHA1: afda653f00267fb8b501cafd1cf5cdd1615602a2
SHA256:0f130457245b7561efd7fcc8e74dd49845ed716acde3f45f18eadf43afbcf593
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-server:9.4.6.v20170531  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

apache-jsp-9.4.6.v20170531.jar

Description:

 Jetty-specific ServletContainerInitializer for Jasper

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\apache-jsp\9.4.6.v20170531\d752ad5fa437d22ce8b13514233b63e1d7d3dce4\apache-jsp-9.4.6.v20170531.jar
MD5: 297b5bec27c2d9524a827b002eb1ae01
SHA1: d752ad5fa437d22ce8b13514233b63e1d7d3dce4
SHA256:d85ec3d706d36f6ab562253faed37f6771a2a87c6942ddc017dd9ee53e67d1ea
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  
  • maven: org.eclipse.jetty:apache-jsp:9.4.6.v20170531  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

websocket-servlet-9.4.6.v20170531.jar

Description:

 Websocket Servlet Interface

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-servlet\9.4.6.v20170531\6f4f1a91e61cc15060ea0beecc7a5d035c1d65f6\websocket-servlet-9.4.6.v20170531.jar
MD5: 588484e460c042f3f97871580553dc4b
SHA1: 6f4f1a91e61cc15060ea0beecc7a5d035c1d65f6
SHA256:c2cf6d9b69bad2c524eed4392ce18c2efa9839643102544a3394ec82054ea4a7
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  
  • maven: org.eclipse.jetty.websocket:websocket-servlet:9.4.6.v20170531  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

javax-websocket-client-impl-9.4.6.v20170531.jar

Description:

 javax.websocket.client Implementation

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\javax-websocket-client-impl\9.4.6.v20170531\89157efdf0a2d305276b622e51722275eff28060\javax-websocket-client-impl-9.4.6.v20170531.jar
MD5: a2c86bb160638c6adb415aa34431ef6e
SHA1: 89157efdf0a2d305276b622e51722275eff28060
SHA256:20b1f93b9f91783337c5aac0a879464930a2adf7000765bc3822781dabd87ad4
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  
  • maven: org.eclipse.jetty.websocket:javax-websocket-client-impl:9.4.6.v20170531  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

websocket-client-9.4.6.v20170531.jar

Description:

 Jetty module for Jetty :: Websocket :: Client

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-client\9.4.6.v20170531\7abf96c2a2afa5966fea35375fc0280e1365b8eb\websocket-client-9.4.6.v20170531.jar
MD5: 94adee4327f23698718f7e28e7079255
SHA1: 7abf96c2a2afa5966fea35375fc0280e1365b8eb
SHA256:b808aa32e34da257cc102f7e80d7fc4a55fe88969d64fb25e0963e2ca7428447
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • maven: org.eclipse.jetty.websocket:websocket-client:9.4.6.v20170531  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

jetty-client-9.4.6.v20170531.jar

Description:

 Jetty module for Jetty :: Asynchronous HTTP Client

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-client\9.4.6.v20170531\ec4139632f338738124e1d77824e3b73be1c6f5f\jetty-client-9.4.6.v20170531.jar
MD5: cf9a8425c455aaa173965f910f5475e5
SHA1: ec4139632f338738124e1d77824e3b73be1c6f5f
SHA256:dfc17e4bae393dfcd05d5f867ac4dac6e1f1aa9efb91dd9760ad4de51bf3e0b4
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-client:9.4.6.v20170531  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

jetty-http-9.4.6.v20170531.jar

Description:

 Jetty module for Jetty :: Http Utility

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-http\9.4.6.v20170531\6c2dd034fc4128ea65f2d0199473cbfb80aeb428\jetty-http-9.4.6.v20170531.jar
MD5: 2f1b075e2ead46b9c99af71d479afe78
SHA1: 6c2dd034fc4128ea65f2d0199473cbfb80aeb428
SHA256:2e661446bc74a55dc58c4f47314abdaaae20669fcbc858daee513473dbbcd97d
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • maven: org.eclipse.jetty:jetty-http:9.4.6.v20170531  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

websocket-common-9.4.6.v20170531.jar

Description:

 Jetty module for Jetty :: Websocket :: Common

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-common\9.4.6.v20170531\32ddd92bdb1b9351369b32d770667706c1a7fb67\websocket-common-9.4.6.v20170531.jar
MD5: e903e735cf7d5c9157446fe4b0ef0685
SHA1: 32ddd92bdb1b9351369b32d770667706c1a7fb67
SHA256:b15b2a505c7e03fff64461347e928ced5b2959d24c58e28a96a23efe957d6616
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  
  • maven: org.eclipse.jetty.websocket:websocket-common:9.4.6.v20170531  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

jetty-io-9.4.6.v20170531.jar

Description:

 Jetty module for Jetty :: IO Utility

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-io\9.4.6.v20170531\69cdaaac75739eff9ccb4c61f87e4fa3ba280f9\jetty-io-9.4.6.v20170531.jar
MD5: f1e91e04eaeb29a1c95db02f5640cb16
SHA1: 069cdaaac75739eff9ccb4c61f87e4fa3ba280f9
SHA256:6357631d9da902ac82f9bec39137e301fd6aeff65f43c4d0ef918e3d2845e440
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • maven: org.eclipse.jetty:jetty-io:9.4.6.v20170531  Confidence:Highest

jetty-xml-9.4.6.v20170531.jar

Description:

 The jetty xml utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-xml\9.4.6.v20170531\25818a656163364b89966fbfdc6f43a8d8b65d2a\jetty-xml-9.4.6.v20170531.jar
MD5: 7a6d5917b1c066cfef3b046f9c44ba3b
SHA1: 25818a656163364b89966fbfdc6f43a8d8b65d2a
SHA256:73a6460c8f856cadeb4f9b2469532b9ac2a5f9de2b6cdefe81aabd73a5a89a6d
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-xml:9.4.6.v20170531  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

jetty-jndi-9.4.6.v20170531.jar

Description:

 JNDI spi impl for java namespace.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-jndi\9.4.6.v20170531\edd0d3be0e680699e089fbf882e10c5705fcfed6\jetty-jndi-9.4.6.v20170531.jar
MD5: 53f504f2fa3fc9488cb4a6b41d62b17b
SHA1: edd0d3be0e680699e089fbf882e10c5705fcfed6
SHA256:37306f68adbb377647809c9803c11fe451989d31592a63b2a26198ecc934adb6
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • maven: org.eclipse.jetty:jetty-jndi:9.4.6.v20170531  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

jetty-util-9.4.6.v20170531.jar

Description:

 Utility classes for Jetty

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-util\9.4.6.v20170531\78628ec5cfafbb5b8085342322515c65fadfa1cc\jetty-util-9.4.6.v20170531.jar
MD5: 02c722dac2b911ca9a08460d09ab163d
SHA1: 78628ec5cfafbb5b8085342322515c65fadfa1cc
SHA256:1616ce767bbd50b9dcad7c9ff074e8bc9736957d3bd4bd82362452b1461b2acc
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • maven: org.eclipse.jetty:jetty-util:9.4.6.v20170531  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.6.v20170531  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

apache-jsp-8.5.9.1.jar

Description:

 A rebundling of Apache Tomcat Jasper to remove the tomcat server dependencies,       so that the JSP engine can be used by the Eclipse Jetty project.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.mortbay.jasper\apache-jsp\8.5.9.1\331cedca956a09e9c3284d8ea080f8fe71657099\apache-jsp-8.5.9.1.jar
MD5: 42c0ebc16253f4189ad6d1abd35b5406
SHA1: 331cedca956a09e9c3284d8ea080f8fe71657099
SHA256:2822887d3ce49428209d5fe28bc5070c256a71319ad6124dbd4b23cd171bbdeb
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • maven: org.mortbay.jasper:apache-jsp:8.5.9.1  Confidence:Highest
  • cpe: cpe:/a:apache_tomcat:apache_tomcat:8.5.9.1  Confidence:Low  
  • cpe: cpe:/a:jasper_project:jasper:8.5.9.1  Confidence:Low  

apache-el-8.5.9.1.jar

Description:

 A rebundling of Apache Tomcat Jasper to remove the tomcat server dependencies,       so that the JSP engine can be used by the Eclipse Jetty project.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.mortbay.jasper\apache-el\8.5.9.1\6ca0976b16fe81da64f2b44473dcfe30a92b3e92\apache-el-8.5.9.1.jar
MD5: d7c86398c3395aa186965aa94ba2a6c5
SHA1: 6ca0976b16fe81da64f2b44473dcfe30a92b3e92
SHA256:ed7f3c731a3b439a58c79f9e44da4c016d6c1e059cf6bc9540bf00e587dffc06
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • cpe: cpe:/a:apache_tomcat:apache_tomcat:8.5.9.1  Confidence:Low  
  • maven: org.mortbay.jasper:apache-el:8.5.9.1  Confidence:Highest

websocket-api-9.4.6.v20170531.jar

Description:

 Jetty module for Jetty :: Websocket :: API

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-api\9.4.6.v20170531\67e88613850da0aa0874e9b6bc2d7dd812968346\websocket-api-9.4.6.v20170531.jar
MD5: 2ad6b3e28f631e287ae11bf38b37b9ab
SHA1: 67e88613850da0aa0874e9b6bc2d7dd812968346
SHA256:d15cf3ccbd5ff0150df116e27e95b34c58f603da7b2b38f1a4308c890c37bf30
Referenced In Project/Scope:webApplication:grettyRunnerJetty94

Identifiers

  • maven: org.eclipse.jetty.websocket:websocket-api:9.4.6.v20170531  Confidence:Highest

gretty-runner-tomcat7-2.0.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.akhikhl.gretty\gretty-runner-tomcat7\2.0.0\9f60f906eacf5954a057d4c788f32d1e271c0330\gretty-runner-tomcat7-2.0.0.jar
MD5: 66d587d52604eb214a43675fa858fb3d
SHA1: 9f60f906eacf5954a057d4c788f32d1e271c0330
SHA256:b1c27bd77c9a0a675e780809600e3c048fa3575c9911013ac48e1d9cb55fac45
Referenced In Project/Scope:webApplication:grettyRunnerTomcat7

Identifiers

  • maven: org.akhikhl.gretty:gretty-runner-tomcat7:2.0.0  Confidence:Highest

gretty-runner-tomcat-2.0.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.akhikhl.gretty\gretty-runner-tomcat\2.0.0\9fca72beff7449103279bc54adcc14da19d43c9b\gretty-runner-tomcat-2.0.0.jar
MD5: 4d5364da61404f62ce0599f9e1840804
SHA1: 9fca72beff7449103279bc54adcc14da19d43c9b
SHA256:c0bdab726dfdab8c4d1fbd689a1deb51422e51ba6039e2fc076624a7ef66b1d9
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerTomcat7
  • webApplication:grettyRunnerTomcat8

Identifiers

  • maven: org.akhikhl.gretty:gretty-runner-tomcat:2.0.0  Confidence:Highest

tomcat-embed-jasper-7.0.78.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-jasper\7.0.78\f6df602abf67462eae360bfb5b805d65ff6da307\tomcat-embed-jasper-7.0.78.jar
MD5: aeb6508a126bb2e71ca71ffd3288bb7a
SHA1: f6df602abf67462eae360bfb5b805d65ff6da307
SHA256:43626b8c2bd0a775e9a0fdea90031c5438d345edef2b1230fb9a5438668c8324
Referenced In Project/Scope:webApplication:grettyRunnerTomcat7

Identifiers

  • cpe: cpe:/a:apache_software_foundation:tomcat:7.0.78  Confidence:Low  
  • cpe: cpe:/a:apache:tomcat:7.0.78  Confidence:Highest  
  • cpe: cpe:/a:apache_tomcat:apache_tomcat:7.0.78  Confidence:Low  
  • maven: org.apache.tomcat.embed:tomcat-embed-jasper:7.0.78  Confidence:Highest

CVE-2017-7674  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Vulnerable Software & Versions: (show all)

CVE-2018-1304  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Vulnerable Software & Versions: (show all)

CVE-2018-1305  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Vulnerable Software & Versions: (show all)

CVE-2018-1336  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Vulnerable Software & Versions: (show all)

CVE-2018-8014  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 7PK - Security Features

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Vulnerable Software & Versions: (show all)

CVE-2018-8034  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-295 Improper Certificate Validation

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Vulnerable Software & Versions: (show all)

tomcat-embed-el-7.0.78.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-el\7.0.78\812a2cbcadd0930a8650ed9c4de2da33b9df26a6\tomcat-embed-el-7.0.78.jar
MD5: 0516817807cfbb983c36b95f5e5a4e40
SHA1: 812a2cbcadd0930a8650ed9c4de2da33b9df26a6
SHA256:6e874fd353d61ba29dcb72dbc2de844675f668961feee39c215bd14c3ef772ba
Referenced In Project/Scope:webApplication:grettyRunnerTomcat7

Identifiers

  • maven: org.apache.tomcat.embed:tomcat-embed-el:7.0.78  Confidence:Highest

tomcat-embed-websocket-7.0.78.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-websocket\7.0.78\eefee0eeaead2819955eb92485a9eec881056bb\tomcat-embed-websocket-7.0.78.jar
MD5: c2eb4918d08901d75a06847b433cccc3
SHA1: 0eefee0eeaead2819955eb92485a9eec881056bb
SHA256:37a3ff70a66adf46a57935d180c909e9aeb23f1e0f6d91cbda1adf387c23e01d
Referenced In Project/Scope:webApplication:grettyRunnerTomcat7

Identifiers

  • maven: org.apache.tomcat.embed:tomcat-embed-websocket:7.0.78  Confidence:Highest
  • cpe: cpe:/a:apache_software_foundation:tomcat:7.0.78  Confidence:Low  
  • cpe: cpe:/a:apache:tomcat:7.0.78  Confidence:Highest  
  • cpe: cpe:/a:apache_tomcat:apache_tomcat:7.0.78  Confidence:Low  

CVE-2017-7674  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Vulnerable Software & Versions: (show all)

CVE-2018-1304  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Vulnerable Software & Versions: (show all)

CVE-2018-1305  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Vulnerable Software & Versions: (show all)

CVE-2018-1336  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Vulnerable Software & Versions: (show all)

CVE-2018-8014  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 7PK - Security Features

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Vulnerable Software & Versions: (show all)

CVE-2018-8034  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-295 Improper Certificate Validation

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Vulnerable Software & Versions: (show all)

log4j-over-slf4j-1.7.12.jar

Description:

 Log4j implemented over SLF4J

License:

Apache Software Licenses: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.slf4j\log4j-over-slf4j\1.7.12\d2444c9c7c1923304c25f86c5ee83a79a8166205\log4j-over-slf4j-1.7.12.jar
MD5: 3aa22dbf9b970c1c69054aaba5054002
SHA1: d2444c9c7c1923304c25f86c5ee83a79a8166205
SHA256:59b0c933bb61f0a30f5ae16aa05e9eea120871f27619e67519bb568f20b29f23
Referenced In Projects/Scopes:
  • webApplication:grettyRunnerTomcat7
  • webApplication:grettyRunnerTomcat8

Identifiers

  • cpe: cpe:/a:slf4j:slf4j:1.7.12  Confidence:Low  
  • maven: org.slf4j:log4j-over-slf4j:1.7.12  Confidence:Highest

tomcat-embed-core-7.0.78.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-core\7.0.78\ddb63d615ec3944b4394aed6dc825cd0cbb16b21\tomcat-embed-core-7.0.78.jar
MD5: c00346f707fb549a8a18e5044df48df3
SHA1: ddb63d615ec3944b4394aed6dc825cd0cbb16b21
SHA256:1966e105a2c10150614e4863feea7a8f92c01648a6867498c2aec258edc26b75
Referenced In Project/Scope:webApplication:grettyRunnerTomcat7

Identifiers

  • cpe: cpe:/a:apache_software_foundation:tomcat:7.0.78  Confidence:Low  
  • cpe: cpe:/a:apache:tomcat:7.0.78  Confidence:Highest  
  • cpe: cpe:/a:apache_tomcat:apache_tomcat:7.0.78  Confidence:Low  
  • maven: org.apache.tomcat.embed:tomcat-embed-core:7.0.78  Confidence:Highest

CVE-2017-7674  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Vulnerable Software & Versions: (show all)

CVE-2018-1304  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Vulnerable Software & Versions: (show all)

CVE-2018-1305  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Vulnerable Software & Versions: (show all)

CVE-2018-1336  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Vulnerable Software & Versions: (show all)

CVE-2018-8014  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 7PK - Security Features

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Vulnerable Software & Versions: (show all)

CVE-2018-8034  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-295 Improper Certificate Validation

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Vulnerable Software & Versions: (show all)

tomcat-embed-logging-log4j-7.0.78.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-logging-log4j\7.0.78\85bd2256269f9fd9684c37413547a4a87359a350\tomcat-embed-logging-log4j-7.0.78.jar
MD5: 5cc307d9931c8fe99cc0c7a4f13c05ea
SHA1: 85bd2256269f9fd9684c37413547a4a87359a350
SHA256:b6f21cd9c5f217e5ae724cf090eb4f1bd4178f217c9ba22ce4d64765525c6e88
Referenced In Project/Scope:webApplication:grettyRunnerTomcat7

Identifiers

  • cpe: cpe:/a:apache_software_foundation:tomcat:7.0.78  Confidence:Low  
  • maven: org.apache.tomcat.embed:tomcat-embed-logging-log4j:7.0.78  Confidence:Highest
  • cpe: cpe:/a:apache:tomcat:7.0.78  Confidence:Highest  
  • cpe: cpe:/a:apache_tomcat:apache_tomcat:7.0.78  Confidence:Low  
  • cpe: cpe:/a:apache:log4j:7.0.78  Confidence:Low  

CVE-2017-7674  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Vulnerable Software & Versions: (show all)

CVE-2018-1304  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Vulnerable Software & Versions: (show all)

CVE-2018-1305  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Vulnerable Software & Versions: (show all)

CVE-2018-1336  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Vulnerable Software & Versions: (show all)

CVE-2018-8014  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 7PK - Security Features

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Vulnerable Software & Versions: (show all)

CVE-2018-8034  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-295 Improper Certificate Validation

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Vulnerable Software & Versions: (show all)

slf4j-api-1.7.12.jar

Description:

 The slf4j API

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.slf4j\slf4j-api\1.7.12\8e20852d05222dc286bf1c71d78d0531e177c317\slf4j-api-1.7.12.jar
MD5: 68910bf95dbcf90ce5859128f0f75d1e
SHA1: 8e20852d05222dc286bf1c71d78d0531e177c317
SHA256:0aee9a77a4940d72932b0d0d9557793f872e66a03f598e473f45e7efecdccf99
Referenced In Projects/Scopes:

  • webApplication:grettyRunnerTomcat7
  • webApplication:grettyRunnerTomcat8

Identifiers

  • cpe: cpe:/a:slf4j:slf4j:1.7.12  Confidence:Low  
  • maven: org.slf4j:slf4j-api:1.7.12  Confidence:Highest

gretty-runner-tomcat8-2.0.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.akhikhl.gretty\gretty-runner-tomcat8\2.0.0\571d77ec1be70e10a04d232d8efdeb8257cd50f0\gretty-runner-tomcat8-2.0.0.jar
MD5: 0d8bcd4b0eef7871e0855e962111496f
SHA1: 571d77ec1be70e10a04d232d8efdeb8257cd50f0
SHA256:7e665133afdcec9c22ed8cd8ce3a76d8be38d1245940486a4b557c29569ab59a
Referenced In Project/Scope:webApplication:grettyRunnerTomcat8

Identifiers

  • maven: org.akhikhl.gretty:gretty-runner-tomcat8:2.0.0  Confidence:Highest

tomcat-embed-jasper-8.0.44.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-jasper\8.0.44\266d4bb367b17b4eb8126f0dd509c5e4c06a6f75\tomcat-embed-jasper-8.0.44.jar
MD5: 7ff0f529417a1bd75e278621a7f74894
SHA1: 266d4bb367b17b4eb8126f0dd509c5e4c06a6f75
SHA256:6dad2916210066dccf067aa93389eed95f2ea94df9bb75222113ff0feb953c8e
Referenced In Project/Scope:webApplication:grettyRunnerTomcat8

Identifiers

  • cpe: cpe:/a:apache:tomcat:8.0.44  Confidence:Highest  
  • maven: org.apache.tomcat.embed:tomcat-embed-jasper:8.0.44  Confidence:Highest
  • cpe: cpe:/a:apache_software_foundation:tomcat:8.0.44  Confidence:Low  
  • cpe: cpe:/a:apache_tomcat:apache_tomcat:8.0.44  Confidence:Low  

CVE-2016-5388  

Severity:Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Vulnerable Software & Versions: (show all)

CVE-2017-12617  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-434 Unrestricted Upload of File with Dangerous Type

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Vulnerable Software & Versions: (show all)

CVE-2017-7674  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Vulnerable Software & Versions: (show all)

CVE-2018-1304  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Vulnerable Software & Versions: (show all)

CVE-2018-1305  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Vulnerable Software & Versions: (show all)

CVE-2018-1336  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Vulnerable Software & Versions: (show all)

CVE-2018-8014  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 7PK - Security Features

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Vulnerable Software & Versions: (show all)

CVE-2018-8034  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-295 Improper Certificate Validation

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Vulnerable Software & Versions: (show all)

tomcat-embed-websocket-8.0.44.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-websocket\8.0.44\5597bffa2b47d94d80f291d3006ded35bf178b53\tomcat-embed-websocket-8.0.44.jar
MD5: 5b1c1b836f585973f4eacb5c3c3edb03
SHA1: 5597bffa2b47d94d80f291d3006ded35bf178b53
SHA256:439b6c39f47e2475f0458791b38009a3f4de5b4f018295ac2a7fc838103a837d
Referenced In Project/Scope:webApplication:grettyRunnerTomcat8

Identifiers

  • cpe: cpe:/a:apache:tomcat:8.0.44  Confidence:Highest  
  • maven: org.apache.tomcat.embed:tomcat-embed-websocket:8.0.44  Confidence:Highest
  • cpe: cpe:/a:apache_software_foundation:tomcat:8.0.44  Confidence:Low  
  • cpe: cpe:/a:apache_tomcat:apache_tomcat:8.0.44  Confidence:Low  

CVE-2016-5388  

Severity:Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Vulnerable Software & Versions: (show all)

CVE-2017-12617  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-434 Unrestricted Upload of File with Dangerous Type

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Vulnerable Software & Versions: (show all)

CVE-2017-7674  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Vulnerable Software & Versions: (show all)

CVE-2018-1304  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Vulnerable Software & Versions: (show all)

CVE-2018-1305  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Vulnerable Software & Versions: (show all)

CVE-2018-1336  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Vulnerable Software & Versions: (show all)

CVE-2018-8014  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 7PK - Security Features

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Vulnerable Software & Versions: (show all)

CVE-2018-8034  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-295 Improper Certificate Validation

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Vulnerable Software & Versions: (show all)

tomcat-embed-core-8.0.44.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-core\8.0.44\f31bfdf279778d5007097354c29e919bd50afe61\tomcat-embed-core-8.0.44.jar
MD5: 868edab9972055f24ac92b171f2b055a
SHA1: f31bfdf279778d5007097354c29e919bd50afe61
SHA256:0e59c6d2490e59d764fefc19aa1cc256dbe30dbe05246a001802d2c59dc9415e
Referenced In Project/Scope:webApplication:grettyRunnerTomcat8

Identifiers

  • cpe: cpe:/a:apache:tomcat:8.0.44  Confidence:Highest  
  • maven: org.apache.tomcat.embed:tomcat-embed-core:8.0.44  Confidence:Highest
  • cpe: cpe:/a:apache_software_foundation:tomcat:8.0.44  Confidence:Low  
  • cpe: cpe:/a:apache_tomcat:apache_tomcat:8.0.44  Confidence:Low  

CVE-2016-5388  

Severity:Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Vulnerable Software & Versions: (show all)

CVE-2017-12617  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-434 Unrestricted Upload of File with Dangerous Type

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Vulnerable Software & Versions: (show all)

CVE-2017-7674  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Vulnerable Software & Versions: (show all)

CVE-2018-1304  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Vulnerable Software & Versions: (show all)

CVE-2018-1305  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Vulnerable Software & Versions: (show all)

CVE-2018-1336  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Vulnerable Software & Versions: (show all)

CVE-2018-8014  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 7PK - Security Features

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Vulnerable Software & Versions: (show all)

CVE-2018-8034  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-295 Improper Certificate Validation

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Vulnerable Software & Versions: (show all)

tomcat-embed-el-8.0.44.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-el\8.0.44\bd9fd4277b66e3ecb785a26ca2055847057650f3\tomcat-embed-el-8.0.44.jar
MD5: dba5c37876183f960bbfeaf511f4f46b
SHA1: bd9fd4277b66e3ecb785a26ca2055847057650f3
SHA256:bd34ad91fcbfd5295aef314bdeea1de875896058880049f8dc3b860802196d65
Referenced In Project/Scope:webApplication:grettyRunnerTomcat8

Identifiers

  • maven: org.apache.tomcat.embed:tomcat-embed-el:8.0.44  Confidence:Highest

tomcat-embed-logging-log4j-8.0.44.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-logging-log4j\8.0.44\c51db03ecd56d6d625241c2217fa067483b1c987\tomcat-embed-logging-log4j-8.0.44.jar
MD5: eb3a017310ad2e23d6b0425de3588ed3
SHA1: c51db03ecd56d6d625241c2217fa067483b1c987
SHA256:d21903db5a8bd3ab6f99fc71da3fbfbaf86a273205f8ce5a150cbdb50e1745b1
Referenced In Project/Scope:webApplication:grettyRunnerTomcat8

Identifiers

  • cpe: cpe:/a:apache:tomcat:8.0.44  Confidence:Highest  
  • maven: org.apache.tomcat.embed:tomcat-embed-logging-log4j:8.0.44  Confidence:Highest
  • cpe: cpe:/a:apache:log4j:8.0.44  Confidence:Low  
  • cpe: cpe:/a:apache_software_foundation:tomcat:8.0.44  Confidence:Low  
  • cpe: cpe:/a:apache_tomcat:apache_tomcat:8.0.44  Confidence:Low  

CVE-2016-5388  

Severity:Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Vulnerable Software & Versions: (show all)

CVE-2017-12617  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-434 Unrestricted Upload of File with Dangerous Type

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Vulnerable Software & Versions: (show all)

CVE-2017-7674  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Vulnerable Software & Versions: (show all)

CVE-2018-1304  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Vulnerable Software & Versions: (show all)

CVE-2018-1305  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Vulnerable Software & Versions: (show all)

CVE-2018-1336  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Vulnerable Software & Versions: (show all)

CVE-2018-8014  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 7PK - Security Features

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Vulnerable Software & Versions: (show all)

CVE-2018-8034  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-295 Improper Certificate Validation

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Vulnerable Software & Versions: (show all)

ecj-3.12.3.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.eclipse.jdt\ecj\3.12.3\ade950992eb3caf6ab4f1a88706c755f0bf213d9\ecj-3.12.3.jar
MD5: 33e190a0f0745306de54fba90f381fc3
SHA1: ade950992eb3caf6ab4f1a88706c755f0bf213d9
SHA256:4374ee22ad38e04ee6bcaf781611f2be9d5ee01d7ba84ac55794baa732cce371
Referenced In Project/Scope:webApplication:grettyRunnerTomcat8

Identifiers

  • maven: org.eclipse.jdt:ecj:3.12.3  Confidence:Highest

springloaded-1.2.5.RELEASE.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.springframework\springloaded\1.2.5.RELEASE\5286364198a1f41d028c1d758ef7e44d2b63d6b1\springloaded-1.2.5.RELEASE.jar
MD5: fa9aa44c6a4d4077db2ef6a92876522f
SHA1: 5286364198a1f41d028c1d758ef7e44d2b63d6b1
SHA256:e45b87c512313e590cb9d4715626a831122df07da96d0c34373c772216c8d6ae
Referenced In Project/Scope:webApplication:grettySpringLoaded

Identifiers

  • maven: org.springframework:springloaded:1.2.5.RELEASE  Confidence:Highest
  • cpe: cpe:/a:springsource:spring_framework:1.2.5  Confidence:Low  

CVE-2011-2730  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."

Vulnerable Software & Versions: (show all)

CVE-2013-4152  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2013-6429  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Vulnerable Software & Versions: (show all)

CVE-2014-1904  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Vulnerable Software & Versions: (show all)

gretty-starter-2.0.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.akhikhl.gretty\gretty-starter\2.0.0\53615cb7022c3d1e1570e5048289cf86b6bb4161\gretty-starter-2.0.0.jar
MD5: 12dc48e09f7d8f0c13094c2442d33e4c
SHA1: 53615cb7022c3d1e1570e5048289cf86b6bb4161
SHA256:136cfcf2dcff383e001cc1baa3a169c69f234c66edf94430a73e0cf94b2b5b68
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

  • maven: org.akhikhl.gretty:gretty-starter:2.0.0  Confidence:Highest

gretty-core-2.0.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.akhikhl.gretty\gretty-core\2.0.0\145a188e9825afb8355b65793aded434c571a2c5\gretty-core-2.0.0.jar
MD5: c32da3f8518d8e9f1ae8f177f2ae9b1c
SHA1: 145a188e9825afb8355b65793aded434c571a2c5
SHA256:87723d7eb6f358445b274d58a5d615025544d58f0aab5f29b307e25e9023afdd
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

  • maven: org.akhikhl.gretty:gretty-core:2.0.0  Confidence:Highest

commons-configuration-1.10.jar

Description:

 Tools to assist in the reading of configuration/preferences files in various formats.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\commons-configuration\commons-configuration\1.10\2b36e4adfb66d966c5aef2d73deb6be716389dc9\commons-configuration-1.10.jar
MD5: b16511ce540fefd53981245f5f21c5f8
SHA1: 2b36e4adfb66d966c5aef2d73deb6be716389dc9
SHA256:95d4e6711e88ce78992c82c25bc03c8df9ecf5a357f0de0bec72a26db3399374
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

  • maven: commons-configuration:commons-configuration:1.10  Confidence:Highest

commons-lang3-3.3.2.jar

Description:

 
  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.apache.commons\commons-lang3\3.3.2\90a3822c38ec8c996e84c16a3477ef632cbc87a3\commons-lang3-3.3.2.jar
MD5: 3128bf75a2549ebe38663401191bacab
SHA1: 90a3822c38ec8c996e84c16a3477ef632cbc87a3
SHA256:6b81d10754dadf184d386011486e6509c2cc0c3d33565ced4fb4402b9413d47d
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

  • maven: org.apache.commons:commons-lang3:3.3.2  Confidence:Highest

org.apache.servicemix.bundles.bcprov-jdk16-1.46_3.jar

Description:

 This OSGi bundle wraps ${pkgArtifactId} ${pkgVersion} jar file.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.apache.servicemix.bundles\org.apache.servicemix.bundles.bcprov-jdk16\1.46_3\bb45f2e86a211f6092e51a0494c73f3bd4bdec30\org.apache.servicemix.bundles.bcprov-jdk16-1.46_3.jar
MD5: fa081810869c3df0574cc58de9780e4e
SHA1: bb45f2e86a211f6092e51a0494c73f3bd4bdec30
SHA256:640a51863a79739925b9e9a90cd6621875985ccb137ea72ea979658b87a99694
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

  • maven: org.apache.servicemix.bundles:org.apache.servicemix.bundles.bcprov-jdk16:1.46_3  Confidence:Highest

spring-boot-devtools-1.3.3.RELEASE.jar

Description:

 Spring Boot Developer Tools

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-devtools\1.3.3.RELEASE\4802c8ddf34051b07a37124ca38dc7561fe44a47\spring-boot-devtools-1.3.3.RELEASE.jar
MD5: 328ec797031d2ead648af7f48e386539
SHA1: 4802c8ddf34051b07a37124ca38dc7561fe44a47
SHA256:16fc9282a1f0bfde0f4d071d6dd741bd16f3a7e8747da7d1c9b71f7a21ef2c60
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

CVE-2017-8046  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

Vulnerable Software & Versions: (show all)

commons-lang-2.6.jar

Description:

 
        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\commons-lang\commons-lang\2.6\ce1edb914c94ebc388f086c6827e8bdeec71ac2\commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
SHA256:50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

  • maven: commons-lang:commons-lang:2.6  Confidence:Highest

spring-boot-autoconfigure-1.3.3.RELEASE.jar

Description:

 Spring Boot AutoConfigure

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-autoconfigure\1.3.3.RELEASE\e7a4a25f74dac6b335ffabc43e3e8a6e3066340e\spring-boot-autoconfigure-1.3.3.RELEASE.jar
MD5: e71f73b9003c7b2161bb53e8a1232ab7
SHA1: e7a4a25f74dac6b335ffabc43e3e8a6e3066340e
SHA256:4e0f267ac83ddb1ac729b217f1b4c064324e22429f3a3adcfefe0464c2d629dd
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

CVE-2017-8046  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

Vulnerable Software & Versions: (show all)

spring-boot-1.3.3.RELEASE.jar

Description:

 Spring Boot

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot\1.3.3.RELEASE\641cc375499d444e4efbc1801902260daa79758d\spring-boot-1.3.3.RELEASE.jar
MD5: f19b4632452399a5157999cc839f0379
SHA1: 641cc375499d444e4efbc1801902260daa79758d
SHA256:ac8bf29852fb76a24a8fd94d74cc9d1973c6a8593b1b34675c42d343568ee246
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

CVE-2017-8046  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

Vulnerable Software & Versions: (show all)

CVE-2018-1196  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

Vulnerable Software & Versions: (show all)

spring-context-4.2.5.RELEASE.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.springframework\spring-context\4.2.5.RELEASE\a75e18322c7b362fe1daa26a245ae672ec0f3138\spring-context-4.2.5.RELEASE.jar
MD5: fe68603c5e8e5624ca97c1abec5a02bc
SHA1: a75e18322c7b362fe1daa26a245ae672ec0f3138
SHA256:4967e1b8a5edfdf5297c451701fd16080aea5d39fd15b63b68740ce0851811e6
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

  • cpe: cpe:/a:pivotal_software:spring_framework:4.2.5  Confidence:Highest  
  • cpe: cpe:/a:pivotal:spring_framework:4.2.5  Confidence:Low  
  • maven: org.springframework:spring-context:4.2.5.RELEASE  Confidence:Highest

CVE-2016-5007  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Vulnerable Software & Versions: (show all)

CVE-2016-9878  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

spring-aop-4.2.5.RELEASE.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.springframework\spring-aop\4.2.5.RELEASE\858d6c70909b3ce7e07b59fc936f8ccfcd81c0aa\spring-aop-4.2.5.RELEASE.jar
MD5: d3153041f9ad54a3e0aab79f4587ced0
SHA1: 858d6c70909b3ce7e07b59fc936f8ccfcd81c0aa
SHA256:c4a132d34cf708eb5d5340f5ee75c0a367d7d379c7595663c11f88418e76d0bb
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

  • cpe: cpe:/a:pivotal_software:spring_framework:4.2.5  Confidence:Highest  
  • cpe: cpe:/a:pivotal:spring_framework:4.2.5  Confidence:Low  
  • maven: org.springframework:spring-aop:4.2.5.RELEASE  Confidence:Highest

CVE-2016-5007  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Vulnerable Software & Versions: (show all)

CVE-2016-9878  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

spring-beans-4.2.5.RELEASE.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.springframework\spring-beans\4.2.5.RELEASE\fa992ae40f6fc47117282164e0433b71da385e94\spring-beans-4.2.5.RELEASE.jar
MD5: 6b1e096f3c034634de6269a064bdaa6c
SHA1: fa992ae40f6fc47117282164e0433b71da385e94
SHA256:8ad81e4b404684f6cc9501491d14761ac7d186106608a51f69d931426243ec10
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

  • cpe: cpe:/a:pivotal_software:spring_framework:4.2.5  Confidence:Highest  
  • cpe: cpe:/a:pivotal:spring_framework:4.2.5  Confidence:Low  
  • maven: org.springframework:spring-beans:4.2.5.RELEASE  Confidence:Highest

CVE-2016-5007  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Vulnerable Software & Versions: (show all)

CVE-2016-9878  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

spring-expression-4.2.5.RELEASE.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.springframework\spring-expression\4.2.5.RELEASE\a42bdfb833d0be6c18429aea3fb0fba81f85c6e8\spring-expression-4.2.5.RELEASE.jar
MD5: a25ef213bb1f45b1cab3d4a5f5faff32
SHA1: a42bdfb833d0be6c18429aea3fb0fba81f85c6e8
SHA256:af308c3b3cf4beacc2b32e7a42fe683748d9bb04107743d9255acf40318972fc
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

  • maven: org.springframework:spring-expression:4.2.5.RELEASE  Confidence:Highest
  • cpe: cpe:/a:pivotal_software:spring_framework:4.2.5  Confidence:Highest  
  • cpe: cpe:/a:pivotal:spring_framework:4.2.5  Confidence:Low  

CVE-2016-5007  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Vulnerable Software & Versions: (show all)

CVE-2016-9878  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

spring-core-4.2.5.RELEASE.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.springframework\spring-core\4.2.5.RELEASE\251207b29f0f38f61e3495a2f7fb053cf1bfe8c\spring-core-4.2.5.RELEASE.jar
MD5: 0db53054e07407b711fc2b31120f9227
SHA1: 0251207b29f0f38f61e3495a2f7fb053cf1bfe8c
SHA256:cf0304b9287a235e271b9d8d316ad286a788299c9b3188614292c8b6453e669c
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

  • cpe: cpe:/a:pivotal_software:spring_framework:4.2.5  Confidence:Highest  
  • cpe: cpe:/a:pivotal:spring_framework:4.2.5  Confidence:Low  
  • maven: org.springframework:spring-core:4.2.5.RELEASE  Confidence:Highest

CVE-2016-5007  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Vulnerable Software & Versions: (show all)

CVE-2016-9878  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

commons-logging-1.2.jar

Description:

 Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\commons-logging\commons-logging\1.2\4bfc12adfe4842bf07b657f0369c4cb522955686\commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

  • maven: commons-logging:commons-logging:1.2  Confidence:Highest

aopalliance-1.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\aopalliance\aopalliance\1.0\235ba8b489512805ac13a8f9ea77a1ca5ebe3e8\aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
SHA256:0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08
Referenced In Project/Scope:webApplication:grettyStarter

Identifiers

  • maven: aopalliance:aopalliance:1.0  Confidence:Highest

org.jacoco.agent-0.8.1.jar

Description:

 JaCoCo Agent

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.jacoco\org.jacoco.agent\0.8.1\af7041102cb6811cc4d73de0f43852980b2896d1\org.jacoco.agent-0.8.1.jar
MD5: 0d1453776ae7d2faacc8122064e75735
SHA1: af7041102cb6811cc4d73de0f43852980b2896d1
SHA256:01a45ada35cc410509606e524efe2376cf2c0c9aa257fcad4587d1e6f5c63c08
Referenced In Projects/Scopes:
  • webApplication:jacocoAnt
  • webApplication:jacocoAgent

Identifiers

  • maven: org.jacoco:org.jacoco.agent:0.8.1  Confidence:Highest

org.jacoco.ant-0.8.1.jar

Description:

 JaCoCo Ant Tasks

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.jacoco\org.jacoco.ant\0.8.1\a9d4e486e391c8ee0f87321d0f97f7b3515a1553\org.jacoco.ant-0.8.1.jar
MD5: 746f3236ca26c8e4bb8684c6a3a3b3b1
SHA1: a9d4e486e391c8ee0f87321d0f97f7b3515a1553
SHA256:b47a8c4c1bce2a5acc650c5153ff473205e47d6f3d7da693a59628340ff80ae6
Referenced In Project/Scope:webApplication:jacocoAnt

Identifiers

  • maven: org.jacoco:org.jacoco.ant:0.8.1  Confidence:Highest

org.jacoco.report-0.8.1.jar

Description:

 JaCoCo Report

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.jacoco\org.jacoco.report\0.8.1\584d29c1b9e0d3a92e9588254a63fdce93b85702\org.jacoco.report-0.8.1.jar
MD5: 1150fba978e0437819a5e4faa34e5efd
SHA1: 584d29c1b9e0d3a92e9588254a63fdce93b85702
SHA256:310ae1a30e6cbcc0f9d2b6a9567b63fcd93e77c8e53da9c2f6c863c3833a9e8d
Referenced In Project/Scope:webApplication:jacocoAnt

Identifiers

  • maven: org.jacoco:org.jacoco.report:0.8.1  Confidence:Highest

org.jacoco.core-0.8.1.jar

Description:

 JaCoCo Core

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.jacoco\org.jacoco.core\0.8.1\49443afe176e3abb2f08f04e78b9b5e776a54705\org.jacoco.core-0.8.1.jar
MD5: 37ce5f5caf5860c73b5165676746196a
SHA1: 49443afe176e3abb2f08f04e78b9b5e776a54705
SHA256:bc1e7dcfa58235c42b5f2de1f7b884b812837e23d0aaf03d8217908462560103
Referenced In Project/Scope:webApplication:jacocoAnt

Identifiers

  • maven: org.jacoco:org.jacoco.core:0.8.1  Confidence:Highest

asm-commons-6.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm-commons\6.0\f256fd215d8dd5a4fa2ab3201bf653de266ed4ec\asm-commons-6.0.jar
MD5: cbe9c8e4ed2a7e27de503b43f6dc4d61
SHA1: f256fd215d8dd5a4fa2ab3201bf653de266ed4ec
SHA256:f1bce5c648a96a017bdcd01fe5d59af9845297fd7b79b81c015a6fbbd9719abf
Referenced In Project/Scope:webApplication:jacocoAnt

Identifiers

  • maven: org.ow2.asm:asm-commons:6.0  Confidence:Highest

asm-analysis-6.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm-analysis\6.0\dd1cc1381a970800268160203aae2d3784da779b\asm-analysis-6.0.jar
MD5: 78d854d5bf870b360e2dc8414a6a8799
SHA1: dd1cc1381a970800268160203aae2d3784da779b
SHA256:2f1a6387219c3a6cc4856481f221b03bd9f2408a326d416af09af5d6f608c1f4
Referenced In Project/Scope:webApplication:jacocoAnt

Identifiers

  • maven: org.ow2.asm:asm-analysis:6.0  Confidence:Highest

asm-util-6.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm-util\6.0\430b2fc839b5de1f3643b528853d5cf26096c1de\asm-util-6.0.jar
MD5: ddd94acc28c09f938523c9f440cd97cc
SHA1: 430b2fc839b5de1f3643b528853d5cf26096c1de
SHA256:356afebdb0f870175262e5188f8709a3b17aa2a5a6a4b0340b04d4b449bca5f6
Referenced In Project/Scope:webApplication:jacocoAnt

Identifiers

  • maven: org.ow2.asm:asm-util:6.0  Confidence:Highest

asm-tree-6.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm-tree\6.0\a624f1a6e4e428dcd680a01bab2d4c56b35b18f0\asm-tree-6.0.jar
MD5: 076f7668703c07ff671837ad17f59ea1
SHA1: a624f1a6e4e428dcd680a01bab2d4c56b35b18f0
SHA256:887998fb69727c8759e4d253f856822801e33f9fd4caa566b3ac58ee92106215
Referenced In Project/Scope:webApplication:jacocoAnt

Identifiers

  • maven: org.ow2.asm:asm-tree:6.0  Confidence:Highest

asm-6.0.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm\6.0\bc6fa6b19424bb9592fe43bbc20178f92d403105\asm-6.0.jar
MD5: 305b31315dbca9c3cddac687b4a0e04c
SHA1: bc6fa6b19424bb9592fe43bbc20178f92d403105
SHA256:dd8971c74a4e697899a8e95caae4ea8760ea6c486dc6b97b1795e75760420461
Referenced In Project/Scope:webApplication:jacocoAnt

Identifiers

  • maven: org.ow2.asm:asm:6.0  Confidence:Highest

org.jacoco.agent-0.8.1.jar: jacocoagent.jar

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.jacoco\org.jacoco.agent\0.8.1\af7041102cb6811cc4d73de0f43852980b2896d1\org.jacoco.agent-0.8.1.jar\jacocoagent.jar
MD5: 2873d7006dc9672d84981792df2c5b7a
SHA1: 9aa64427abccf89cfc44a72acaf9d288d80deb8b
SHA256:cd40d1c1aea4112adb82049df3f462b60380ce1bb00bdecb1cfdb862e34be8dd
Referenced In Projects/Scopes:

  • webApplication:jacocoAnt
  • webApplication:jacocoAgent

Identifiers

  • None

org.jacoco.agent-0.8.1.jar: jacocoagent.jar (shaded: org.jacoco:org.jacoco.agent.rt:0.8.1)

Description:

 JaCoCo Java Agent

File Path: C:\Users\Admin\.gradle\caches\modules-2\files-2.1\org.jacoco\org.jacoco.agent\0.8.1\af7041102cb6811cc4d73de0f43852980b2896d1\org.jacoco.agent-0.8.1.jar\jacocoagent.jar\META-INF/maven/org.jacoco/org.jacoco.agent.rt/pom.xml
MD5: 92830d9f9fca035594943743433f951c
SHA1: 7fdbfe65b810433f4b68d36e3c68be5a5785a3a3
SHA256:c2dee6e00cf764f6b7f24c232879fb6e0c78839835ae340bc42eee31043dea78
Referenced In Projects/Scopes:

  • webApplication:jacocoAnt
  • webApplication:jacocoAgent

Identifiers

  • maven: org.jacoco:org.jacoco.agent.rt:0.8.1  Confidence:High


This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.